CVE-2014-0097: Empty passwords may bypass authentication

May 25, 2017 (updated June 7, 2017)

The ActiveDirectoryLdapAuthenticator in this package does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

References

www.gopivotal.com/security/cve-2014-0097
bugzilla.redhat.com/CVE-2014-0097

Code Behaviors & Features

Detect and mitigate CVE-2014-0097 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →