CVE-2022-37397 - OpenCVE

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Yugabyte	Yugabytedb

Configuration 1 [-]

cpe:2.3:a:yugabyte:yugabytedb:2.6.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.yugabyte.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Yugabyte

Published: 2022-08-12T18:01:37

Updated: 2024-08-03T10:29:21.063Z

Reserved: 2022-08-03T00:00:00

Link: CVE-2022-37397

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-12T20:15:09.850

Modified: 2022-08-16T15:44:39.500

Link: CVE-2022-37397

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["macos, darwin"], "product": "Yugabyte DB", "vendor": "YugaByte, Inc.", "versions": [{"status": "affected", "version": "2.6.1.0"}]}], "configurations": [{"lang": "en", "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-16", "description": "CWE-16 Configuration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-12T18:01:37", "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.yugabyte.com/"}], "solutions": [{"lang": "en", "value": "Upgrade to non-vulnerable version 2.6.1.1+"}], "source": {"defect": ["PLAT-4383"], "discovery": "EXTERNAL"}, "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory", "workarounds": [{"lang": "en", "value": "Disable LDAP for YCQL."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@yugabyte.com", "ID": "CVE-2022-37397", "STATE": "PUBLIC", "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Yugabyte DB", "version": {"version_data": [{"platform": "macos, darwin", "version_name": "2.6.1.0", "version_value": "2.6.1.0"}]}}]}, "vendor_name": "YugaByte, Inc."}]}}, "configuration": [{"lang": "en", "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287 Improper Authentication"}]}, {"description": [{"lang": "eng", "value": "CWE-16 Configuration"}]}]}, "references": {"reference_data": [{"name": "https://www.yugabyte.com/", "refsource": "CONFIRM", "url": "https://www.yugabyte.com/"}]}, "solution": [{"lang": "en", "value": "Upgrade to non-vulnerable version 2.6.1.1+"}], "source": {"defect": ["PLAT-4383"], "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "Disable LDAP for YCQL."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:29:21.063Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.yugabyte.com/"}]}]}, "cveMetadata": {"assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "assignerShortName": "Yugabyte", "cveId": "CVE-2022-37397", "datePublished": "2022-08-12T18:01:37", "dateReserved": "2022-08-03T00:00:00", "dateUpdated": "2024-08-03T10:29:21.063Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yugabyte:yugabytedb:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "D0AF8161-C28C-411F-9433-C472C7981FDB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}, {"lang": "es", "value": "Se ha detectado un problema en YugabyteDB versi\u00f3n 2.6.1, cuando es usada la autenticaci\u00f3n basada en LDAP en YCQL con el Directorio Activo de Microsoft. Cuando es habilitada la vinculaci\u00f3n an\u00f3nima o no autenticada de LDAP, permite omitir la autenticaci\u00f3n con una contrase\u00f1a vac\u00eda."}], "id": "CVE-2022-37397", "lastModified": "2022-08-16T15:44:39.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security@yugabyte.com", "type": "Secondary"}]}, "published": "2022-08-12T20:15:09.850", "references": [{"source": "security@yugabyte.com", "tags": ["Vendor Advisory"], "url": "https://www.yugabyte.com/"}], "sourceIdentifier": "security@yugabyte.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-16"}, {"lang": "en", "value": "CWE-287"}], "source": "security@yugabyte.com", "type": "Secondary"}]}