CVE-2014-8764

Published: Oct 22, 2014Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

Affected (3)

Products: Mageia Project: Mageia · Dokuwiki: Dokuwiki

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mageia Project Mageia	Version 3.0
Mageia Project Mageia	Version 4.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Dokuwiki Dokuwiki	Up to 2013-12-08

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (14)

http://advisories.mageia.org/MGASA-2014-0438.html

Source: secalert@redhat.com

http://secunia.com/advisories/61983

Source: secalert@redhat.com

http://www.debian.org/security/2014/dsa-3059

Source: secalert@redhat.com

http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2014/10/13/3

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2014/10/16/9

Source: secalert@redhat.com

https://github.com/splitbrain/dokuwiki/pull/868

Source: secalert@redhat.com

http://advisories.mageia.org/MGASA-2014-0438.html