CVE-2024-10127: Support for authentication bypass condition in M-Files LDAP authentication

DESCRIPTION

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.

AFFECTED PRODUCTS

M-Files Server before 24.11

MORE INFORMATION

The issue can be remediated by updating M-Files Server to a patched version. The issue only affects customers who are using LDAP authentication and use a LDAP server that supports anonymous binding. Anonymous binding is not enabled by default in LDAP servers.

CVSS 4.0 CVSS-BT Score: 9.2

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-303: Incorrect Implementation of Authentication Algorithm

CAPEC: CAPEC-114 Authentication Abuse

Internal ID: 171604

Date issued: 2024-11-20

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – responsibly reported

LINKS

https://www.cve.org/CVERecord?id=CVE-2024-10127

HISTORY

2024-11-20 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X