oss-sec mailing list archives

CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass

From: Stefan Seelmann <seelmann () apache org>
Date: Sat, 24 Jul 2021 11:23:16 +0200

Severity: high

Description:

While investigating DIRSTUDIO-1219 it was noticed that configured
StartTLS encryption was not applied when any SASL authentication
mechanism (DIGEST-MD5, GSSAPI) was used. While investigating
DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality
layer was not applied. This issue affects Apache Directory Studio
version 2.0.0.v20210213-M16 and prior versions.

Mitigation:

This issue was fixed in 2.0.0.v20210717-M17. All users using SASL are
recommended to upgrade to Apache Directory Studio 2.0.0.v20210717-M17.

Credit:

Apache Directory would like to thank Hugh Cole-Baker for reporting this
issue.

Current thread:

CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass Stefan Seelmann (Jul 24)