Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using LDAP, authentication process may be bypassed #4562

Closed
TheWitness opened this issue Feb 21, 2022 · 3 comments
Closed

When using LDAP, authentication process may be bypassed #4562

TheWitness opened this issue Feb 21, 2022 · 3 comments
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Milestone
v1.2.20

Comments

@TheWitness
Copy link
Member

Describe the bug

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

Expected behavior

Cacti security model should work when Anonymous binding is enabled.
@TheWitness TheWitness added bug Undesired behaviour SECURITY A security issue reported through CVE labels Feb 21, 2022
@TheWitness TheWitness added this to the v1.2.20 milestone Feb 21, 2022
TheWitness added a commit that referenced this issue Feb 21, 2022
@TheWitness
Fixing Issue #4562 - LDAP Authentication bypass issue
1386bdb 
Under certain LDAP server environments, cacti authentication can be bypassed
TheWitness added a commit that referenced this issue Feb 21, 2022
@TheWitness
Minor update to issue #4562
8694bf2
TheWitness added a commit that referenced this issue Feb 21, 2022
@TheWitness
Partially revert the last commit #4562
0bb77ee
@TheWitness TheWitness added the resolved A fixed issue label Feb 22, 2022
@TheWitness
Copy link
Member Author

Confirmed with the reporter that this issue is resolved. Still waiting on a CVE though.

@carnil
Copy link

carnil commented Mar 4, 2022

CVE-2022-0730 appeears to have been assigned for this issue.

@TheWitness
Copy link
Member Author

Yup, CHANGELOG updated. Thanks!

@netniV netniV changed the title Under certain LDAP server environments, cacti authentication can be bypassed When using LDAP, authentication issues may be bypassed Apr 3, 2022
@netniV netniV changed the title When using LDAP, authentication issues may be bypassed When using LDAP, authentication process may be bypassed Apr 3, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Dec 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Milestone
v1.2.20
Development

No branches or pull requests
2 participants
@carnil @TheWitness