LDAP Authentication Bypass Vulnerability in YugabyteDB 2.6.1

LDAP Authentication Bypass Vulnerability in YugabyteDB 2.6.1

CVE-2022-37397 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

Learn more about our Cis Benchmark Audit For Bind.