directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass
Date Sat, 24 Jul 2021 09:19:52 GMT
Severity: high

Description:

While investigating DIRSTUDIO-1219 it was noticed that configured
StartTLS encryption was not applied when any SASL authentication
mechanism (DIGEST-MD5, GSSAPI) was used. While investigating
DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality
layer was not applied. This issue affects Apache Directory Studio
version 2.0.0.v20210213-M16 and prior versions.

Mitigation:

This issue was fixed in 2.0.0.v20210717-M17. All users using SASL are
recommended to upgrade to Apache Directory Studio 2.0.0.v20210717-M17.

Credit:

Apache Directory would like to thank Hugh Cole-Baker for reporting this
issue.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org


Mime
View raw message