CVE-2018-1337 – org.apache.directory.api:apache-ldap-api

Package

Manager: maven
Name: org.apache.directory.api:apache-ldap-api
Vulnerable Version: >=0 <1.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02912 pctl0.85848

Details

Credential leak in org.apache.directory.api:apache-ldap-api In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).

Metadata

Created: 2018-11-09T17:49:49Z
Modified: 2024-04-19T19:47:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-cfw5-v7cw-69cw/GHSA-cfw5-v7cw-69cw.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-cfw5-v7cw-69cw
Finding: F017
Auto approve: 1