Description
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
Affected products
M-Files Server before 24.11 M-Files Server before 24.8 LTS SR2 (24.8.13981.13)
More information
The issue can be remediated by updating M-Files Server to a patched version. The issue only affects customers who are using LDAP authentication and use a LDAP server that supports anonymous binding. Anonymous binding is not enabled by default in LDAP servers. CVSS 4.0 CVSS-BT Score: 9.2 CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CWE: CWE-303: Incorrect Implementation of Authentication Algorithm CAPEC: CAPEC-114 Authentication Abuse Internal ID: 171604 Date issued: 2024-11-20
Exploitability
Publicly disclosed: No Exploited: No Probability of exploitation: low – responsibly reported
Links
History
2024-11-20 Published 2024-12-16 Updated to include LTS 24.8 SR2 version as not affected
