CVE-2020-26542

An issue was discovered in the MongoDB Simple LDAP plugin through 2020-10-02 for Percona Server when using the SimpleLDAP authentication in conjunction with Microsofts Active Directory, Percona has discovered a flaw that would allow authentication to complete when passing a blank value for the account password, leading to access against the service integrated with which Active Directory is deployed at the level granted to the authenticating account.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
perconapercona_server
𝑥
≤ 2020-10-02
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://jira.percona.com/browse/PS-7358
https://jira.percona.com/browse/PSMDB-726
https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/
https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html
https://jira.percona.com/browse/PS-7358
https://jira.percona.com/browse/PSMDB-726
https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/
https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html