[SERVER-20691] Vulnerability in LDAP authentication Created: 29/Sep/15 Updated: 07/Jun/17 Resolved: 30/Sep/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code |
| Affects Version/s: | None |
| Fix Version/s: | 3.0.7, 3.1.9 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | asp, asp-cve, asp-sdl-internalassessment, asp-vuln-authbypass | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Completed: | |||||||||||||
| Sprint: | Security A 10/09/15 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
Issue Status as of Dec 02, 2015 ISSUE SUMMARY This vulnerability has been assigned CVE-2015-7882. To determine if your deployment is affected, run the following command on any node in your cluster:
If the output contains the word “PLAIN” then your installation is vulnerable. The following example shows the output of the above command in a vulnerable installation:
USER IMPACT WORKAROUNDS AFFECTED VERSIONS FIX VERSION |
| Comments |
| Comment by Githook User [ 02/Dec/15 ] |
|
Author: {u'username': u'Boomtime', u'name': u'Boomtime', u'email': u'andrew.ryder@10gen.com'}Message: PLAIN does not work for in-database users in 3.0 See Signed-off-by: kay <kay.kim@10gen.com> |
| Comment by Githook User [ 02/Dec/15 ] |
|
Author: {u'username': u'Boomtime', u'name': u'Boomtime', u'email': u'andrew.ryder@10gen.com'}Message: PLAIN does not work for in-database users in 3.0 See Signed-off-by: kay <kay.kim@10gen.com> |
| Comment by Githook User [ 13/Oct/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Githook User [ 30/Sep/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Githook User [ 30/Sep/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |