CVE-2018-1337: Plaintext Password Disclosure in Secured Channel Severity: Critical
Vendor: The Apache Software Foundation Versions Affected: Apache LDAP API 1.0.0 Description: A bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any informations contained in this request (including the credentials when sending a BIND request) Mitigation: Users are urged to use this 1.0.2 version ASAP. There is no impact in their application, the API remains unchanged. The previous version (LDAP API 1.0.1) was a workaround for this problem. History: 2018-05-15 Original advisory Credit: This issue has been reported by Wei Deng (Datastax), the initial workaround was proposed by Mike Adamson (Datastax) and the further investigations/tests/verification were conducted by Wei Deng, Mike Adamson, Jeremiah Kordan (Datastax) and Ben Coverston (Datastax). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com