oss-sec mailing list archives
CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass
From: Stefan Seelmann <seelmann () apache org>
Date: Sat, 24 Jul 2021 11:23:16 +0200
Severity: high Description: While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions. Mitigation: This issue was fixed in 2.0.0.v20210717-M17. All users using SASL are recommended to upgrade to Apache Directory Studio 2.0.0.v20210717-M17. Credit: Apache Directory would like to thank Hugh Cole-Baker for reporting this issue.
Current thread:
- CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass Stefan Seelmann (Jul 24)