CVSS: 6.8EPSS: 1%CPEs: 18EXPL: 0CVE-2011-1025 – openldap: rootpw not verified via slapd.conf when using the NDB backend
https://notcve.org/view.php?id=CVE-2011-1025
bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password. bind.cpp en back-ndb en OpenLDAP v2.4.x anteriores a v2.4.24 no requiere autenticación para el Distinguished Name (DN), lo que permite a atacantes remotos evitar las restricciones de acceso previsto a través de una contraseña arbitraria. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://openwall.com/lists/oss-security/2011/02/24/12 http://openwall.com/lists/oss-security/2011/02/25/13 http://secunia.com/advisories/43331 http://secunia.com/advisories/43718 http://security.gentoo.org/glsa/glsa-201406-36.xml http://securitytracker.com/id?1025190 http://www.mandriva.com/security/advisories?name=MDVSA-2011:056 http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff& • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2009-3767 – OpenLDAP: Doesn't properly handle NULL character in subject Common Name
https://notcve.org/view.php?id=CVE-2009-3767
libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. libraries/libldap/tls_o.c en OpenLDAP, cuando se usa OpenSSL, no maneja de forma adecuada el caracter '\0' en un nombre de dominio, dentro del campo sujeto del Common Name (CN) en los certificados X.509, lo que permite a atacantes man-in-the-middle, espíar servidores SSL de su elección a través de certificados manipulados concedidos por Autoridades Certificadoras, esta relacionado con CVE-2009-2408. • http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036138.html http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html http://marc.info/?l=oss-security&m=125198917018936&w=2 http://marc.info/?l=oss-security&m=125369675820512&w=2 http://secunia.com/advisories/38769 http://secunia.com/advisories/40677 http://security.gentoo.org/glsa/glsa-201406-36.xml http://support.apple. • CWE-295: Improper Certificate Validation •