CVE-2022-37397

Summary

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

Affected Software

VendorProductVersion RangeStatus
YugaByte, Inc.Yugabyte DB2.6.1.0affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication
  • CWE-16: CWE-16 Configuration

Workarounds

Disable LDAP for YCQL.

ADP Enrichment

CVE Program Container

Additional References

References