CVE-2020-26214: LDAP authentication bypass with empty password
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99282%
CWE
Published
11/6/2020
Updated
9/4/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
alerta-server | pip | >= 8.0.0, < 8.1.0 | 8.1.0 |
alerta-server | pip | < 7.5.7 | 7.5.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was patched by adding an explicit check for empty passwords in the 'login' function of basic_ldap.py
(shown in the commit diff). Prior to the fix, the absence of this check allowed LDAP authentication attempts with empty passwords to proceed, which could succeed against servers allowing unauthenticated binds. The vulnerable code path is clearly in the authentication handling function before the empty password validation
was implemented.