RubySec

Providing security resources for the Ruby community

CVE-2012-5604 (ldap_fluff): Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass

ADVISORIES

GEM

ldap_fluff

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 0.1.3

DESCRIPTION

Red Hat Subscription Asset Manager contains a flaw in the rubygem-ldap_fluff component. The issue is triggered when using Microsoft Active Directory server as the authentication back-end. This may result in authentication no longer being enforced, allowing a remote attacker to trivially bypass it.