FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pam_ldap -- authentication bypass vulnerability

Affected packages
pam_ldap < 1.8.0

Details

VuXML ID 38c76fcf-1744-11da-978e-0001020eed82
Discovery 2005-08-22
Entry 2005-08-27

Luke Howard reports:

If a pam_ldap client authenticates against an LDAP server that returns a passwordPolicyResponse control, but omits the optional "error" field of the PasswordPolicyResponseValue, then the LDAP authentication result will be ignored and the authentication step will always succeed.

References

CERT/CC Vulnerability Note 778916
CVE Name CVE-2005-2641
URL https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166163