CVE-2020-26542

Name of the Vulnerable Software and Affected Versions Percona Server MongoDB Simple LDAP plugin versions through 2020-10-02

Description An issue was discovered in the MongoDB Simple LDAP plugin for Percona Server when using the SimpleLDAP authentication in conjunction with Microsoft’s Active Directory. The flaw allows authentication to complete when passing a blank value for the password variable, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.

Recommendations For Percona Server MongoDB Simple LDAP plugin versions through 2020-10-02, consider disabling the SimpleLDAP authentication until a patch is available to prevent exploitation of this issue. Restrict access to the service integrated with Active Directory to minimize the risk of unauthorized access. Avoid using blank passwords for authentication in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.