Support Incident Tracker before 3.51, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Support_incident_tracker | Sitracker | * | 3.50 (including) |
| Support_incident_tracker | Sitracker | 3.21 (including) | 3.21 (including) |
| Support_incident_tracker | Sitracker | 3.22 (including) | 3.22 (including) |
| Support_incident_tracker | Sitracker | 3.22pl1 (including) | 3.22pl1 (including) |
| Support_incident_tracker | Sitracker | 3.23 (including) | 3.23 (including) |
| Support_incident_tracker | Sitracker | 3.24 (including) | 3.24 (including) |
| Support_incident_tracker | Sitracker | 3.24-beta-2 (including) | 3.24-beta-2 (including) |
| Support_incident_tracker | Sitracker | 3.30 (including) | 3.30 (including) |
| Support_incident_tracker | Sitracker | 3.30-beta2 (including) | 3.30-beta2 (including) |
| Support_incident_tracker | Sitracker | 3.31 (including) | 3.31 (including) |
| Support_incident_tracker | Sitracker | 3.32 (including) | 3.32 (including) |
| Support_incident_tracker | Sitracker | 3.33 (including) | 3.33 (including) |
| Support_incident_tracker | Sitracker | 3.35 (including) | 3.35 (including) |
| Support_incident_tracker | Sitracker | 3.35-beta1 (including) | 3.35-beta1 (including) |
| Support_incident_tracker | Sitracker | 3.36 (including) | 3.36 (including) |
| Support_incident_tracker | Sitracker | 3.40 (including) | 3.40 (including) |
| Support_incident_tracker | Sitracker | 3.40-beta1 (including) | 3.40-beta1 (including) |
| Support_incident_tracker | Sitracker | 3.41 (including) | 3.41 (including) |
| Support_incident_tracker | Sitracker | 3.45 (including) | 3.45 (including) |
| Support_incident_tracker | Sitracker | 3.45-beta1 (including) | 3.45-beta1 (including) |
| Support_incident_tracker | Sitracker | 3.50-beta1 (including) | 3.50-beta1 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- http://bugs.sitracker.org/view.php?id=1047
- http://osvdb.org/61945
- http://secunia.com/advisories/38329
- http://sitracker.org/forum/viewtopic.php?f=4\u0026t=1416979\u0026p=2292
- http://sitracker.org/wiki/ReleaseNotes351
- http://www.securityfocus.com/bid/37949
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55871
- http://bugs.sitracker.org/view.php?id=1047
- http://osvdb.org/61945
- http://secunia.com/advisories/38329
- http://sitracker.org/forum/viewtopic.php?f=4\u0026t=1416979\u0026p=2292
- http://sitracker.org/wiki/ReleaseNotes351
- http://www.securityfocus.com/bid/37949
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55871