PT-2025-40512 · Ldap+2 · Ldap+2
Vladislav Volozhenko
·
Published
2025-10-03
·
Updated
2025-11-05
·
CVE-2025-27231
CVSS v2.0
6.1
Medium
| Vector | AV:N/AC:L/Au:M/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Versions prior to the fix where the 'Bind password' value is reset on 'Host' change.
Description
A Super Admin account can potentially leak the LDAP 'Bind password' value by changing the LDAP 'Host' to a rogue LDAP server. The 'Bind password' value cannot be read after saving, but this manipulation allows unauthorized access. The issue is mitigated by resetting the 'Bind password' value when the 'Host' is changed.
Recommendations
Ensure the 'Bind password' value is reset on 'Host' change.
Fix
Information Disclosure
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Ldap
Red Os