Search for vulnerabilities
Vulnerability details: VCID-q3rp-5qf2-1qde
Vulnerability ID VCID-q3rp-5qf2-1qde
Aliases CVE-2018-1000134
GHSA-qwq9-8rpf-8mp7
Summary UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-521 Weak Password Requirements
CWE-284 Improper Access Control
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 9.8 https://access.redhat.com/errata/RHSA-2018:1713
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2018:1713
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000134.json
epss 0.01597 https://api.first.org/data/v1/epss?cve=CVE-2018-1000134
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-qwq9-8rpf-8mp7
cvssv3.1 9.8 https://github.com/pingidentity/ldapsdk
generic_textual CRITICAL https://github.com/pingidentity/ldapsdk
cvssv3.1 9.8 https://github.com/pingidentity/ldapsdk/commit/801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb
generic_textual CRITICAL https://github.com/pingidentity/ldapsdk/commit/801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb
cvssv3.1 9.8 https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd
generic_textual CRITICAL https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd
cvssv3.1 9.8 https://github.com/pingidentity/ldapsdk/issues/40
generic_textual CRITICAL https://github.com/pingidentity/ldapsdk/issues/40
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000134
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2018-1000134
cvssv3.1 9.8 http://www.securityfocus.com/bid/103458
generic_textual CRITICAL http://www.securityfocus.com/bid/103458
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2018:1713
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000134.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1000134
https://github.com/pingidentity/ldapsdk
https://github.com/pingidentity/ldapsdk/commit/801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb
https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6
https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd
https://github.com/pingidentity/ldapsdk/issues/40
https://nvd.nist.gov/vuln/detail/CVE-2018-1000134
http://www.securityfocus.com/bid/103458
1557531 https://bugzilla.redhat.com/show_bug.cgi?id=1557531
GHSA-qwq9-8rpf-8mp7 https://github.com/advisories/GHSA-qwq9-8rpf-8mp7
RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:1713
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000134.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pingidentity/ldapsdk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pingidentity/ldapsdk/commit/801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pingidentity/ldapsdk/issues/40
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000134
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/103458
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.80819
EPSS Score 0.01597
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T11:55:14.445173+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 36.1.3