CVE-2018-1000134

Name of the Vulnerable Software and Affected Versions: UnboundID LDAP SDK versions from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6

Description: The issue concerns an Incorrect Access Control vulnerability in the process function of the SimpleBindRequest class. This vulnerability occurs when the function does not check for an empty password while running in synchronous mode, potentially allowing an attacker to impersonate any valid user by providing a valid username and an empty password against servers that do not perform additional validation, as per the guidelines in RFC 4513, section 5.1.1.

Recommendations: For UnboundID LDAP SDK versions from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, update to a version after commit 8471904a02438c03965d21367890276bc25fa5a6 to resolve the issue. As a temporary workaround, consider adding additional validation on the server-side to check for empty passwords, as recommended by RFC 4513, section 5.1.1, until the update can be applied.