CVE-2007-6714

Name of the Vulnerable Software and Affected Versions DBMail versions prior to 2.2.9

Description The issue allows remote attackers to bypass authentication by providing an empty password when using authldap with an LDAP server that supports anonymous login, such as Active Directory. This is because the LDAP bind indicates success based on anonymous authentication.

Recommendations For DBMail versions prior to 2.2.9, update to version 2.2.9 or later to resolve the issue. As a temporary workaround, consider disabling the use of authldap with LDAP servers that support anonymous login until a patch is applied. Restrict access to the LDAP authentication mechanism to minimize the risk of exploitation. Avoid using empty passwords in the affected authentication process until the issue is resolved.