CVE-2022-37397

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions YugabyteDB version 2.6.1

Description An issue was discovered when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. If anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

Recommendations For YugabyteDB version 2.6.1, consider disabling anonymous or unauthenticated LDAP binding to prevent authentication bypass. As a temporary workaround, restrict access to the LDAP authentication module until a patch is available.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-16CWE-287

Related Identifiers

CVE-2022-37397

Affected Products

Active Directory

Yugabytedb

CVE-2022-37397

Weakness Enumeration

Related Identifiers

Affected Products

References · 3