CVE-2014-8763 - OpenCVE

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dokuwiki	Dokuwiki
Mageia Project	Mageia

Configuration 1 [-]

cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:mageia_project:mageia:3.0:::::::*
	cpe:2.3:o:mageia_project:mageia:4.0:::::::*

No data.

References

Link	Providers
http://advisories.mageia.org/MGASA-2014-0438.html
http://secunia.com/advisories/61983
http://www.debian.org/security/2014/dsa-3059
http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
http://www.openwall.com/lists/oss-security/2014/10/13/3
http://www.openwall.com/lists/oss-security/2014/10/16/9
https://github.com/splitbrain/dokuwiki/pull/868

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-10-22T14:00:00

Updated: 2024-08-06T13:26:02.588Z

Reserved: 2014-10-13T00:00:00

Link: CVE-2014-8763

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-10-22T14:55:08.373

Modified: 2016-07-15T15:19:32.613

Link: CVE-2014-8763

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\\0) character and a valid user name, which triggers an unauthenticated bind."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-01T13:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[dokuwiki] 20140918 Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication"}, {"name": "61983", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/61983"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0438.html"}, {"name": "[oss-security] 20141013 CVE request: various security flaws in dokuwiki", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/10/13/3"}, {"name": "[oss-security] 20141016 Re: CVE request: various security flaws in dokuwiki", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/10/16/9"}, {"name": "DSA-3059", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-3059"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/splitbrain/dokuwiki/pull/868"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-8763", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\\0) character and a valid user name, which triggers an unauthenticated bind."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[dokuwiki] 20140918 Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication", "refsource": "MLIST", "url": "http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication"}, {"name": "61983", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61983"}, {"name": "http://advisories.mageia.org/MGASA-2014-0438.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0438.html"}, {"name": "[oss-security] 20141013 CVE request: various security flaws in dokuwiki", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/10/13/3"}, {"name": "[oss-security] 20141016 Re: CVE request: various security flaws in dokuwiki", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/10/16/9"}, {"name": "DSA-3059", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-3059"}, {"name": "https://github.com/splitbrain/dokuwiki/pull/868", "refsource": "CONFIRM", "url": "https://github.com/splitbrain/dokuwiki/pull/868"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:26:02.588Z"}, "title": "CVE Program Container", "references": [{"name": "[dokuwiki] 20140918 Fwd: Dokuwiki (maybe) security issue: Null byte poisoning in LDAP authentication", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication"}, {"name": "61983", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/61983"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2014-0438.html"}, {"name": "[oss-security] 20141013 CVE request: various security flaws in dokuwiki", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/10/13/3"}, {"name": "[oss-security] 20141016 Re: CVE request: various security flaws in dokuwiki", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/10/16/9"}, {"name": "DSA-3059", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-3059"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/splitbrain/dokuwiki/pull/868"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-8763", "datePublished": "2014-10-22T14:00:00", "dateReserved": "2014-10-13T00:00:00", "dateUpdated": "2024-08-06T13:26:02.588Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA33BE6C-F00C-4A78-9136-EBBF9643B4F2", "versionEndIncluding": "2014-05-05a", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mageia_project:mageia:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DBED7B92-A9D9-4B2A-A2A5-BD63C2214721", "vulnerable": true}, {"criteria": "cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "A7D2FA5A-6EC3-490B-A6A5-C498C889E30D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\\0) character and a valid user name, which triggers an unauthenticated bind."}, {"lang": "es", "value": "DokuWiki anterior a 2014-05-05b, cuando utiliza Active Directory para la autenticaci\u00f3n LDAP, permite a atacantes remotos evadir la autenticaci\u00f3n a trav\u00e9s de una contrase\u00f1a que empiece por un caracter nulo (\\0) y un nombre de usuario v\u00e1lido, lo que provoca un bind no autenticado."}], "id": "CVE-2014-8763", "lastModified": "2016-07-15T15:19:32.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-22T14:55:08.373", "references": [{"source": "secalert@redhat.com", "url": "http://advisories.mageia.org/MGASA-2014-0438.html"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/61983"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2014/dsa-3059"}, {"source": "secalert@redhat.com", "url": "http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/10/13/3"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2014/10/16/9"}, {"source": "secalert@redhat.com", "url": "https://github.com/splitbrain/dokuwiki/pull/868"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}