CVE Vulnerability

CVE-2020-26168

The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://docs.hazelcast.org/docs/ern/index.html#4-0-3 Release Notes Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypass Vendor Advisory
https://jet-start.sh/blog/2020/10/23/jet-43-is-released Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:hazelcast:hazelcast:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:hazelcast:jet:*:*:*:*:enterprise:*:*:*
Information

Published : 2020-11-09 10:15

Updated : 2020-11-18 08:39

NVD link : CVE-2020-26168

Mitre link : CVE-2020-26168

Products Affected
No products.
CWE
CWE-287