CVE-2014-4668 — Improper Authentication in Cherokee

CWE-287 — Improper Authentication6 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.6%

top 30.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cherokee-project Cherokee Fedoraproject Fedora Mageia Project Mageia

Timeline

PublishedJul 2

Latest updateMay 17

Description

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDcherokee-project/cherokee1.2.103+5

▶NVDmageia_project/mageia4

Also affects: Fedora 20, 21, 22

🔴Vulnerability Details

GHSA

GHSA-x6gj-r267-c9vw: The cherokee_validator_ldap_check function in validator_ldap↗2022-05-17

▶

CVEList

CVE-2014-4668: The cherokee_validator_ldap_check function in validator_ldap↗2014-07-02

▶

💬Community

Bugzilla

CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [fedora-all]↗2014-06-30

▶

Bugzilla

CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds [epel-all]↗2014-06-30

▶

Bugzilla

CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds↗2014-06-30

▶