CVE-2014-4668

Name of the Vulnerable Software and Affected Versions Cherokee versions 1.2.103 and earlier

Description The issue concerns the cherokee validator ldap check function in validator ldap.c. When LDAP is used, it does not properly consider unauthenticated-bind semantics. This allows remote attackers to bypass authentication by using an empty password.

Recommendations For Cherokee versions 1.2.103 and earlier, consider disabling the LDAP authentication mechanism until a patch is available. Restrict access to the cherokee validator ldap check function to minimize the risk of exploitation. Avoid using empty passwords in the affected LDAP configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.