CVE-2020-26542
CRITICALPercona Server < 2020-10-02 - Improper Authentication via Blank Password in Simple LDAP Plugin
Title source: llmDescription
An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.
References (4)
Core 4
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://jira.percona.com/browse/PS-7358
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://jira.percona.com/browse/PSMDB-726
Release Notes, Vendor Advisory x_refsource_confirm
https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html
Scores
CVSS v3
9.8
EPSS
0.0152
EPSS Percentile
71.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
percona/percona_server
< 2020-10-02
Published
Nov 09, 2020
Tracked Since
Feb 18, 2026