CVE-2017-14623

Name of the Vulnerable Software and Affected Versions ldap.v2 (aka go-ldap) versions through 2.5.0

Description The issue is related to the authentication procedure in the ldap.v2 package for Go. An attacker may be able to login with an empty password if the application relies solely on the return error of the Bind function call to determine authorization and is used with an LDAP server that allows unauthenticated bind. This could allow a remote attacker to bypass existing security restrictions.

Recommendations For versions through 2.5.0, consider modifying the application to not rely solely on the return error of the Bind function call for authorization. As a temporary workaround, restrict access to LDAP servers that allow unauthenticated bind until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.