Main Vulnerability Database Vulnerabilities #VU72082

#VU72082 Weak password requirements in UnboundID LDAP SDK for Java - CVE-2018-1000134

Published: February 9, 2023

Vulnerability identifier: #VU72082

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-1000134

CWE-ID: CWE-521

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
UnboundID LDAP SDK for Java

Software vendor:
Ping Identity

Description

The vulnerability allows an attacker to compromise the affected application.

The vulnerability exists due to the application does not check for empty passwords when running in synchronous mode. A remote attacker can provide a valid username with an empty password and gain unauthorized access to the application.

Remediation

Install updates from vendor's website.

External links

https://github.com/pingidentity/ldapsdk/issues/40
https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd