CVE-2020-26214

Name of the Vulnerable Software and Affected Versions Alerta versions prior to 8.1.0

Description The issue allows users to bypass LDAP authentication by providing an empty password when the Alerta server is configured to use LDAP as the authorization provider. This affects deployments where LDAP servers are configured to allow unauthenticated authentication mechanisms for anonymous authorization. A fix has been implemented that returns an HTTP 401 Unauthorized response for any authentication attempts where the password field is empty.

Recommendations For versions prior to 8.1.0, update to version 8.1.0 to resolve the issue. As a temporary workaround, LDAP administrators can disallow unauthenticated bind requests by clients.