GHSA-cfw5-v7cw-69cw

Source

https://github.com/advisories/GHSA-cfw5-v7cw-69cw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-cfw5-v7cw-69cw/GHSA-cfw5-v7cw-69cw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cfw5-v7cw-69cw

Aliases

CVE-2018-1337

Published

2018-11-09T17:49:49Z

Modified

2024-04-19T20:01:20.803418Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Credential leak in org.apache.directory.api:apache-ldap-api

Details

In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:31:24Z"
}

References

Affected packages

Maven / org.apache.directory.api:apache-ldap-api

Package

Name: org.apache.directory.api:apache-ldap-api; View open source insights on deps.dev
Purl: pkg:maven/org.apache.directory.api/apache-ldap-api

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2

Affected versions

1.*

1.0.0-M14

1.0.0-M15

1.0.0-M16

1.0.0-M17

1.0.0-M18

1.0.0-M19

1.0.0-M20

1.0.0-M21

1.0.0-M22

1.0.0-M23

1.0.0-M24

1.0.0-M25

1.0.0-M26

1.0.0-M27

1.0.0-M28

1.0.0-M29

1.0.0-M30

1.0.0-M31

1.0.0-M32

1.0.0-M33

1.0.0-RC1

1.0.0-RC2

1.0.0

1.0.1