CVE-2017-8028

8.1 HIGH
Published: November 27, 2017 Modified: May 13, 2026
View on NVD

Description

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0319
Source: security_alert@emc.com
https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html
Source: security_alert@emc.com
https://pivotal.io/security/cve-2017-8028
Source: security_alert@emc.com
Issue Tracking Vendor Advisory
https://www.debian.org/security/2017/dsa-4046
Source: security_alert@emc.com
Issue Tracking Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Source: security_alert@emc.com
https://access.redhat.com/errata/RHSA-2018:0319
Source: af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html
Source: af854a3a-2127-422b-91ae-364da2661108
https://pivotal.io/security/cve-2017-8028
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking Vendor Advisory
https://www.debian.org/security/2017/dsa-4046
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Source: af854a3a-2127-422b-91ae-364da2661108

10 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
1.4%
81th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-287

Affected Vendors

debian pivotal_software

Related CVEs

CVE-2026-5513 7.2
CVE-2026-1291 4.3
CVE-2026-11624 N/A
CVE-2026-9629 6.4
CVE-2026-3297 6.4