CVE-2020-26168

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-26168

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26168.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26168

Published

2020-11-09T22:15:13.257Z

Modified

2026-04-10T04:26:30.686351Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.

References

Affected packages

Git / github.com/hazelcast/hazelcast

Affected ranges

Type

GIT

Repo

https://github.com/hazelcast/hazelcast

Events

Introduced

8b959f580ab91d42c071eac142feb04c5acea72f

Fixed

8b9f09b66347a008d0a58bb62010e95305586c7e

Introduced

8b959f580ab91d42c071eac142feb04c5acea72f

Last affected

ba7949935d4765029611fa6729716825f87621c6

Database specific

{
    "versions": [
        {
            "introduced": "4.0"
        },
        {
            "fixed": "4.0.3"
        },
        {
            "introduced": "4.0"
        },
        {
            "last_affected": "4.2"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26168.json"