CVE-2022-37397 - Vulnerability Details - OpenCVE

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00494.

Key SSVC decision points have not yet been added.

Vendors	Products
Yugabyte Subscribe	Yugabytedb Subscribe

Configuration 1 [-]

cpe:2.3:a:yugabyte:yugabytedb:2.6.1:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-40030	An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

Fixes

Solution

Upgrade to non-vulnerable version 2.6.1.1+

Workaround

Disable LDAP for YCQL.

References

Link	Providers
https://www.yugabyte.com/

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Yugabyte

Published: 2022-08-12T18:01:37

Updated: 2024-08-03T10:29:21.063Z

Reserved: 2022-08-03T00:00:00

Link: CVE-2022-37397

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-12T20:15:09.850

Modified: 2024-11-21T07:14:55.200

Link: CVE-2022-37397

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"platforms": ["macos, darwin"], "product": "Yugabyte DB", "vendor": "YugaByte, Inc.", "versions": [{"status": "affected", "version": "2.6.1.0"}]}], "configurations": [{"lang": "en", "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-16", "description": "CWE-16 Configuration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-12T18:01:37", "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.yugabyte.com/"}], "solutions": [{"lang": "en", "value": "Upgrade to non-vulnerable version 2.6.1.1+"}], "source": {"defect": ["PLAT-4383"], "discovery": "EXTERNAL"}, "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory", "workarounds": [{"lang": "en", "value": "Disable LDAP for YCQL."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@yugabyte.com", "ID": "CVE-2022-37397", "STATE": "PUBLIC", "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Yugabyte DB", "version": {"version_data": [{"platform": "macos, darwin", "version_name": "2.6.1.0", "version_value": "2.6.1.0"}]}}]}, "vendor_name": "YugaByte, Inc."}]}}, "configuration": [{"lang": "en", "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287 Improper Authentication"}]}, {"description": [{"lang": "eng", "value": "CWE-16 Configuration"}]}]}, "references": {"reference_data": [{"name": "https://www.yugabyte.com/", "refsource": "CONFIRM", "url": "https://www.yugabyte.com/"}]}, "solution": [{"lang": "en", "value": "Upgrade to non-vulnerable version 2.6.1.1+"}], "source": {"defect": ["PLAT-4383"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Disable LDAP for YCQL."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:29:21.063Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.yugabyte.com/"}]}]}, "cveMetadata": {"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "assignerShortName": "Yugabyte", "cveId": "CVE-2022-37397", "datePublished": "2022-08-12T18:01:37", "dateReserved": "2022-08-03T00:00:00", "dateUpdated": "2024-08-03T10:29:21.063Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yugabyte:yugabytedb:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "D0AF8161-C28C-411F-9433-C472C7981FDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}, {"lang": "es", "value": "Se ha detectado un problema en YugabyteDB versi\u00f3n 2.6.1, cuando es usada la autenticaci\u00f3n basada en LDAP en YCQL con el Directorio Activo de Microsoft. Cuando es habilitada la vinculaci\u00f3n an\u00f3nima o no autenticada de LDAP, permite omitir la autenticaci\u00f3n con una contrase\u00f1a vac\u00eda."}], "id": "CVE-2022-37397", "lastModified": "2024-11-21T07:14:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security@yugabyte.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-12T20:15:09.850", "references": [{"source": "security@yugabyte.com", "tags": ["Vendor Advisory"], "url": "https://www.yugabyte.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.yugabyte.com/"}], "sourceIdentifier": "security@yugabyte.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-16"}, {"lang": "en", "value": "CWE-287"}], "source": "security@yugabyte.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}