{"containers":{"cna":{"affected":[{"platforms":["macos, darwin"],"product":"Yugabyte DB","vendor":"YugaByte, Inc.","versions":[{"status":"affected","version":"2.6.1.0"}]}],"configurations":[{"lang":"en","value":"The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory"}],"descriptions":[{"lang":"en","value":"An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-287","description":"CWE-287 Improper Authentication","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-16","description":"CWE-16 Configuration","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2022-08-12T18:01:37.000Z","orgId":"d4ae51d3-4db5-465e-bc8a-eb6768324078","shortName":"Yugabyte"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://www.yugabyte.com/"}],"solutions":[{"lang":"en","value":"Upgrade to non-vulnerable version 2.6.1.1+"}],"source":{"defect":["PLAT-4383"],"discovery":"EXTERNAL"},"title":"The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory","workarounds":[{"lang":"en","value":"Disable LDAP for YCQL."}],"x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@yugabyte.com","ID":"CVE-2022-37397","STATE":"PUBLIC","TITLE":"The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Yugabyte DB","version":{"version_data":[{"platform":"macos, darwin","version_name":"2.6.1.0","version_value":"2.6.1.0"}]}}]},"vendor_name":"YugaByte, Inc."}]}},"configuration":[{"lang":"en","value":"The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-287 Improper Authentication"}]},{"description":[{"lang":"eng","value":"CWE-16 Configuration"}]}]},"references":{"reference_data":[{"name":"https://www.yugabyte.com/","refsource":"CONFIRM","url":"https://www.yugabyte.com/"}]},"solution":[{"lang":"en","value":"Upgrade to non-vulnerable version 2.6.1.1+"}],"source":{"defect":["PLAT-4383"],"discovery":"EXTERNAL"},"work_around":[{"lang":"en","value":"Disable LDAP for YCQL."}]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T10:29:21.063Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.yugabyte.com/"}]}]},"cveMetadata":{"assignerOrgId":"d4ae51d3-4db5-465e-bc8a-eb6768324078","assignerShortName":"Yugabyte","cveId":"CVE-2022-37397","datePublished":"2022-08-12T18:01:37.000Z","dateReserved":"2022-08-03T00:00:00.000Z","dateUpdated":"2024-08-03T10:29:21.063Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}