CVE-2011-1024

Severity

46%

Complexity

39%

Confidentiality

106%

chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server.

CVSS 2.0 Base Score 4.6. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:P).

Overview

Type

OpenLDAP

First reported 13 years ago

2011-03-20 02:00:00

Last updated 8 years ago

2017-01-07 02:59:00

Affected Software

OpenLDAP 2.4.6

2.4.6

OpenLDAP 2.4.7

2.4.7

OpenLDAP 2.4.8

2.4.8

OpenLDAP 2.4.9

2.4.9

OpenLDAP 2.4.10

2.4.10

OpenLDAP 2.4.11

2.4.11

OpenLDAP 2.4.12

2.4.12

OpenLDAP 2.4.13

2.4.13

OpenLDAP 2.4.14

2.4.14

OpenLDAP 2.4.15

2.4.15

OpenLDAP 2.4.16

2.4.16

OpenLDAP 2.4.17

2.4.17

OpenLDAP 2.4.18

2.4.18

OpenLDAP 2.4.19

2.4.19

OpenLDAP 2.4.20

2.4.20

OpenLDAP 2.4.21

2.4.21

OpenLDAP 2.4.22

2.4.22

OpenLDAP 2.4.23

2.4.23

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735

[oss-security] 20110224 CVE Request -- OpenLDAP -- two issues

[oss-security] 20110225 Re: CVE Request -- OpenLDAP -- two issues

43331

Vendor Advisory

43708

43718

GLSA-201406-36

1025188

MDVSA-2011:055

MDVSA-2011:056

http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0

Patch

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607

[openldap-announce] 20110212 OpenLDAP 2.4.24 available