CVE-2014-8763

Published: Oct 22, 2014Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

Affected (3)

Products: Dokuwiki: Dokuwiki · Mageia Project: Mageia

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dokuwiki Dokuwiki	Up to 2014-05-05a

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Mageia Project Mageia	Version 3.0
Mageia Project Mageia	Version 4.0

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (14)

http://advisories.mageia.org/MGASA-2014-0438.html

Source: secalert@redhat.com

http://secunia.com/advisories/61983

Source: secalert@redhat.com

http://www.debian.org/security/2014/dsa-3059

Source: secalert@redhat.com

http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2014/10/13/3

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2014/10/16/9

Source: secalert@redhat.com

https://github.com/splitbrain/dokuwiki/pull/868

Source: secalert@redhat.com

http://advisories.mageia.org/MGASA-2014-0438.html