LDAP Authentication Bypass
Information
-
Advisory ID: DSA-2023-010
-
CVE reference: CVE-2023-51717
-
CVSS Base Score: 9.8
-
CVSS String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-
Severity: Critical
-
CWE classification: CWE-287
-
Advisory Release Date: Dec 21st, 2023 19:00 CET
Summary
Before DSS 11.4.5 and 12.4.1, verification of credentials when authenticating with LDAP identity was insufficient.
Depending on the configuration of the LDAP server, this could lead to a full authentication bypass.
Affected Products
Dataiku DSS before 11.4.5 and 12.4.1
Affected Situations
Dataiku Cloud customers are not affected.
Only customers who have enabled LDAP support in DSS are affected.
Furthermore, to be affected, your LDAP server needs to be configured to allow “unauthenticated binds” (not to be confused with “anonymous binds”). This is a discouraged behavior as per LDAP specification, but is the default behavior of Microsoft Active Directory.
Mitigation
Customers running DSS 12.1.0 or above, and who are using SSO in addition to LDAP (i.e., users are not authenticating to DSS through their LDAP password, but through SSO, and LDAP is only used for provisioning), can mitigate the issue by disabling “Allow user authentication” in the LDAP settings (Admin > Settings > User login & provisioning)
Remediation
Dataiku DSS 12.4.1 has been made available to customers to remediate this issue.
In addition, for customers still running DSS 11, DSS 11.4.5 has been made available to remediate the issue.
Acknowledgement
Dataiku would like to thank Christian Turri, consultant, for discovering and reporting the issue.
Contact
E-mail: security @ dataiku . com
Last modified
Dec 22nd, 2023
Timeline
-
Dec 20th, 2023: Issue reported to vendor
-
Dec 20th, 2023: Issue confirmed and acknowledged by vendor
-
Dec 21st, 2023: Fixed versions published and advisory published
-
Dec 22nd, 2023: CVE id assigned and added to the advisory