VDB
CVE-2017-8028
CVE-2017-8028
PUBLISHED
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
EPSS 1.42% · 80.9th percentile
Risk Scores
EPSS Score
1.42%
80.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | libspring-ldap-java | 0, 1.3.1.RELEASE-4 |
Timeline
- Nov 27, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-8028 third-party-advisory
- https://pivotal.io/security/cve-2017-8028 third-party-advisory
- https://github.com/spring-projects/spring-ldap/issues/430 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-8028 third-party-advisory