PT-2020-16325 · Hazelcast · Ldaploginmodule+2

Published

2020-11-09

Updated

2020-11-18

CVE-2020-26168

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hazelcast IMDG Enterprise versions 4.0.0 through 4.0.2 Hazelcast Jet Enterprise versions 4.0.0 through 4.2

Description The LDAP authentication method in LdapLoginModule does not properly verify passwords in certain system-user-dn scenarios, allowing users to be authenticated with invalid passwords.

Recommendations For Hazelcast IMDG Enterprise versions 4.0.0 through 4.0.2, update to version 4.0.3 or later. For Hazelcast Jet Enterprise versions 4.0.0 through 4.2, consider disabling the LdapLoginModule until a patch is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2020-26168

Affected Products

Hazelcast Imdg Enterprise

Hazelcast Jet Enterprise

Ldaploginmodule

PT-2020-16325 · Hazelcast · Ldaploginmodule+2

CVE-2020-26168

Weakness Enumeration

Related Identifiers

Affected Products

References · 7