What is CVE-2020-26214?

CVE-2020-26214 is a critical-severity vulnerability in Alerta, classified under Improper Authentication. CVSS score: 9.1/10. Published 2020-11-06.

How severe is CVE-2020-26214?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2020-26214 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Alerta

CVE-2020-26214

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured…

Vulnerability class: Broken Authentication

EPSS: 0.889 (99.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Alerta — versions < 8.1.0

Weakness classification (CWE)

CWE-287 — Improper Authentication

Public proof-of-concept exploits

References

github.com/alerta/alerta/security/advisories/GHSA-5hmm-x8q8-w5jh (x_refsource_CONFIRM)
github.com/alerta/alerta/issues/1277 (x_refsource_MISC)
github.com/alerta/alerta/pull/1345 (x_refsource_MISC)
github.com/alerta/alerta/commit/2bfa31779a4c9df2fa68fa4d0c5c909698c5ef65 (x_refsource_MISC)
pypi.org/project/alerta-server/8.1.0/ (x_refsource_MISC)
tools.ietf.org/html/rfc4513 (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-26214?: CVE-2020-26214 is a critical-severity vulnerability in Alerta, classified under Improper Authentication. CVSS score: 9.1/10. Published 2020-11-06.
How severe is CVE-2020-26214?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2020-26214 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.