CVE-2014-4668

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Fedora	Fedoraproject	22	22
Fedora	Fedoraproject	20	20
Fedora	Fedoraproject	21	21

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://openwall.com/lists/oss-security/2014/06/28/3
https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88
http://openwall.com/lists/oss-security/2014/06/28/7
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156190.html
http://advisories.mageia.org/MGASA-2015-0181.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156162.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:225
http://www.securityfocus.com/bid/68249

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-4668
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References