Miggo Logo

CVE-2020-26214: LDAP authentication bypass with empty password

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.99282%
Published
11/6/2020
Updated
9/4/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
alerta-serverpip>= 8.0.0, < 8.1.08.1.0
alerta-serverpip< 7.5.77.5.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by adding an explicit check for empty passwords in the 'login' function of basic_ldap.py (shown in the commit diff). Prior to the fix, the absence of this check allowed LDAP authentication attempts with empty passwords to proceed, which could succeed against servers allowing unauthenticated binds. The vulnerable code path is clearly in the authentication handling function before the empty password validation was implemented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs m*y ** **l* to *yp*ss L**P *ut**nti**tion i* t**y provi** *n *mpty p*sswor* w**n *l*rt* s*rv*r is *on*i*ur* to us* L**P *s t** *ut*oriz*tion provi**r. Only **ploym*nts w**r* L**P s*rv*rs *r* *on*i*ur** to *llow un*ut**nti**t** *in*s

Reasoning

T** vuln*r**ility w*s p*t**** *y ***in* *n *xpli*it ****k *or *mpty p*sswor*s in t** 'lo*in' *un*tion o* `**si*_l**p.py` (s*own in t** *ommit *i**). Prior to t** *ix, t** **s*n** o* t*is ****k *llow** L**P *ut**nti**tion *tt*mpts wit* *mpty p*sswor*s