Auth bypass in Apache Cloudstack

CVE-2014-7807

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.

Vulnerability class: Broken Authentication

EPSS: 0.004 (62.2th percentile) — read the EPSS interpretation.

Affected products

Apache Cloudstack — versions 4.3.0, 4.3.1, 4.4.0
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

secalert@redhat.com (x_refsource_CONFIRM)
20141208 [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds (mailing-list, x_refsource_BUGTRAQ)