Miggo Logo
Miggo Vulnerability Database
CVE-2012-5604

CVE-2012-5604: ldap_fluff authentication bypass

4.3

CVSS Score

Basic Information

CVE ID
CVE-2012-5604
GHSA ID
GHSA-9whh-582r-589h
EPSS Score
0.68116%
CWE
-
Published
5/14/2022
Updated
1/26/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ldap_fluffrubygems< 0.4.00.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch explicitly adds a check for empty/nil passwords in the authenticate? method. The vulnerability description matches this code change - allowing authentication bypass via unspecified vectors (empty password being the implied vector). The commit message 'Protect against passwordless auth' directly correlates with the CVE's authentication bypass description. The vulnerable version range (<0.4.0) corresponds to versions without this password presence check.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** l**p_*lu** **m *or Ru*y, *s us** in R** **t *lou**orms *.*, w**n usin* **tiv* *ir**tory *or *ut**nti**tion, *llows r*mot* *tt**k*rs to *yp*ss *ut**nti**tion vi* unsp**i*i** v**tors.

Reasoning

T** *it*u* p*t** *xpli*itly ***s * ****k *or *mpty/nil p*sswor*s in t** `*ut**nti**t*?` m*t*o*. T** vuln*r**ility **s*ription m*t***s t*is *o** ***n** - *llowin* *ut**nti**tion *yp*ss vi* unsp**i*i** v**tors (*mpty p*sswor* **in* t** impli** v**tor).