CVE-2020-26214

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26214
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26214.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26214
Aliases
Published
2020-11-06T18:15:12Z
Modified
2024-10-12T06:24:14.272284Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.

References

Affected packages

Git / github.com/alerta/alerta

Affected ranges

Type
GIT
Repo
https://github.com/alerta/alerta
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2bfa31779a4c9df2fa68fa4d0c5c909698c5ef65

Affected versions

v4.*

v4.10.2
v4.5.5

v5.*

v5.0.0
v5.0.0-alpha1
v5.0.0-alpha2
v5.0.0-alpha3
v5.0.0-beta1
v5.0.0-rc1
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.1
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9

v6.*

v6.0.0
v6.0.1
v6.1.0
v6.2.0
v6.2.1
v6.3.0
v6.3.1
v6.3.2
v6.5.0
v6.6.0
v6.6.1
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.8.0
v6.8.1
v6.8.2
v6.8.3

v7.*

v7.0.0
v7.0.1
v7.1.0
v7.1.1
v7.1.2
v7.2.0
v7.2.1
v7.2.10
v7.2.11
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.2.8
v7.2.9
v7.3.0
v7.3.1
v7.3.2
v7.4.0
v7.4.1
v7.4.4
v7.4.5
v7.4.6
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5

v8.*

v8.0.0
v8.0.1
v8.0.2
v8.0.3