CVE-2020-26168

Published: Nov 9, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.

Affected (2)

Products: Hazelcast: Hazelcast, Jet

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Hazelcast Hazelcast	From 4.0 to 4.0.3
Hazelcast Jet	From 4.0 to 4.2

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (8)

https://docs.hazelcast.org/docs/ern/index.html#4-0-3

Source: cve@mitre.org

Release NotesVendor Advisory

https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass

Source: cve@mitre.org

Vendor Advisory

https://hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypass

Source: cve@mitre.org

Vendor Advisory

https://jet-start.sh/blog/2020/10/23/jet-43-is-released

Source: cve@mitre.org

Vendor Advisory

https://docs.hazelcast.org/docs/ern/index.html#4-0-3

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypass

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://jet-start.sh/blog/2020/10/23/jet-43-is-released

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.