Authentication Bypass Affecting ldap3 package, versions [,2.4)
Snyk CVSS
Attack Complexity
Low
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-LDAP3-42044
- published 22 Jan 2018
- disclosed 2 Aug 2017
- credit Unknown
Overview
ldap3
is a strictly RFC 4510 conforming LDAP V3 pure Python client library.
Affected versions of this package are vulnerable to Authentication Bypass via the rebind() method of the Connection object. It is performing the following comparison to validate input data:
if password:
self.password = password
That condition is false in case of password = '', so the old value of the object will be keep in that case, including case where the bind was correct.
This is a potential security hole, since a correct bind followed by a rebind with empty password will complete the binding correctly.