cbcvebase.
CVE-2020-26214
published 2020-11-06

CVE-2020-26214: In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
65.93%
99.2th percentile
In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.

Affected

3 ranges
VendorProductVersion rangeFixed in
alertaalerta< 8.1.08.1.0
alerta_projectalerta< 7.5.77.5.7
alerta_projectalerta>= 8.0.0 < 8.1.08.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/config
yara
regex: '"name": "Alerta ([0-9.]+)"'
  • Send a GET request to /api/config and check the response body for the strings '"alarm_model"', '"actions"', and '"severity"' together with a 200 status code to fingerprint a vulnerable Alerta instance.
  • Extract the Alerta version from the /api/config response body using the regex '"name": "Alerta ([0-9.]+)"' and flag any version less than 8.1.0 as vulnerable.
  • Authentication bypass is triggered by submitting an empty password against the LDAP-backed Alerta login; the server must return HTTP 401 for empty-password attempts to be protected.
  • ·Vulnerability only affects deployments where the LDAP server is configured to allow unauthenticated (anonymous) bind requests; LDAP servers that disallow unauthenticated bind are not affected.
  • ·The bypass requires Alerta to be configured with LDAP as the authorization provider; non-LDAP authentication backends are not impacted.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.