cvedb.io
CVE-2017-8028
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2017-11-27T10:29:00.720 · Last modified 2026-06-17T01:25:39.727

Summary

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Affected products

pivotal_software — spring-ldap

Does this affect you?

Add your gear to cvedb and we'll alert you only when pivotal_software ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.