CVE-2014-4668
published 2014-07-02CVE-2014-4668: The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider…
PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
2.84%
84.9th percentile
The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cherokee-project | cherokee | <= 1.2.103 | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| mageia_project | mageia | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]
bugzilla·2014-06-30·CVSS 6.8
CVE-2014-4668 [MEDIUM] CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: t
Bugzilla
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [epel-all]
bugzilla·2014-06-30·CVSS 6.8
CVE-2014-4668 [MEDIUM] CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [epel-all]
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE
Bugzilla
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
bugzilla·2014-06-30·CVSS 6.8
CVE-2014-4668 [MEDIUM] CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
Matthew Daley reported the following flaw:
""
Cherokee supports authenticating users via LDAP. It does
not ensure that users provide a non-empty password when doing so. If
the underlying LDAP server allows unauthenticated binds (see RFC 4513,
section 5.1.2: ), an
unauthenticated bind will be performed and not the name/password-based
authenticated bind that Cherokee is expecting. This success of this
bind will cause Cherokee to authenticate the user. This allows an
attacker to authenticate as a user for which they only know the
username and not the password.
Affected versions: current releases (<= 1.2.103)
""
Upstream fix: https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf
http://advisories.mageia.org/MGASA-2015-0181.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156162.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156190.htmlhttp://openwall.com/lists/oss-security/2014/06/28/3http://openwall.com/lists/oss-security/2014/06/28/7http://www.mandriva.com/security/advisories?name=MDVSA-2015:225http://www.securityfocus.com/bid/68249https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88http://advisories.mageia.org/MGASA-2015-0181.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156162.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/156190.htmlhttp://openwall.com/lists/oss-security/2014/06/28/3http://openwall.com/lists/oss-security/2014/06/28/7http://www.mandriva.com/security/advisories?name=MDVSA-2015:225http://www.securityfocus.com/bid/68249https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88
2014-07-02
Published