CVE-2007-4364

Name of the Vulnerable Software and Affected Versions Fedora Commons versions prior to 2.2.1

Description The issue is related to improper handling of certain authentication requests involving Java Naming and Directory Interface (JNDI). This can be exploited in two ways: (1) using a nonexistent account name in combination with an empty password, which can trigger an unexpected response from an LDAP server, and (2) a reauthentication attempt that throws an exception, allowing the use of a cached authentication decision. Authentication can be bypassed by using the first vector followed by the second, and possibly by using a single vector.

Recommendations For versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the JNDI interface until a patch is applied. Avoid using empty passwords in authentication requests to minimize the risk of exploitation.