RubySec

Providing security resources for the Ruby community

CVE-2014-0083 (net-ldap): Net::LDAP for Ruby lib/net/ldap/password.rb SSHA Password Generation Weak Salt

ADVISORIES

GEM

net-ldap

SEVERITY

CVSS v2: 1.9

PATCHED VERSIONS

  • >= 0.6.0

DESCRIPTION

Net::LDAP for Ruby contains a flaw in lib/net/ldap/password.rb. The issue is due to the program generating SSHA passwords with a weak salt value that is between 0 and 999. This may allow a local attacker to more easily gain access to password information.