Auth bypass in Dokuwiki

CVE-2014-8764

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

Vulnerability class: Broken Authentication

EPSS: 0.012 (79.5th percentile) — read the EPSS interpretation.

Affected products

Dokuwiki
Mageia_project Mageia — versions 3.0, 4.0
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

[dokuwiki] 20140918 Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication (mailing-list, x_refsource_MLIST)
61983 (x_refsource_SECUNIA, third-party-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
[oss-security] 20141013 CVE request: various security flaws in dokuwiki (mailing-list, x_refsource_MLIST)
[oss-security] 20141016 Re: CVE request: various security flaws in dokuwiki (mailing-list, x_refsource_MLIST)
DSA-3059 (vendor-advisory, x_refsource_DEBIAN)
secalert@redhat.com (x_refsource_CONFIRM)