Auth bypass in Cherokee-project Cherokee

CVE-2014-4668

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an emp…

Vulnerability class: Broken Authentication

EPSS: 0.006 (70.0th percentile) — read the EPSS interpretation.

Affected products

Cherokee-project Cherokee — versions 1.2.2, 1.2.98, 1.2.99
Mageia_project Mageia — versions 4
Fedoraproject Fedora — versions 20, 21, 22
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

68249 (vdb-entry, x_refsource_BID)
[oss-security] 20140628 Re: CVE request / advisory: Cherokee (mailing-list, x_refsource_MLIST)
FEDORA-2015-6392 (x_refsource_FEDORA, vendor-advisory)
MDVSA-2015:225 (vendor-advisory, x_refsource_MANDRIVA)
FEDORA-2015-6279 (x_refsource_FEDORA, vendor-advisory)
cve@mitre.org (x_refsource_CONFIRM)
[oss-security] 20140628 CVE request / advisory: Cherokee (mailing-list, x_refsource_MLIST)
FEDORA-2015-6194 (x_refsource_FEDORA, vendor-advisory)
cve@mitre.org (x_refsource_CONFIRM)