The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.
2014-07-02T04:14:17.233
2025-04-12T10:46:40.837
Deferred
CVSSv2: 6.8 (MEDIUM)
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | fedoraproject | fedora | 20 | Yes |
| Operating System | fedoraproject | fedora | 21 | Yes |
| Operating System | fedoraproject | fedora | 22 | Yes |
| Operating System | mageia_project | mageia | 4 | Yes |
| Application | cherokee-project | cherokee | ≤ 1.2.103 | Yes |
| Application | cherokee-project | cherokee | 1.2.2 | Yes |
| Application | cherokee-project | cherokee | 1.2.98 | Yes |
| Application | cherokee-project | cherokee | 1.2.99 | Yes |
| Application | cherokee-project | cherokee | 1.2.101 | Yes |
| Application | cherokee-project | cherokee | 1.2.102 | Yes |