You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Stefan Seelmann <se...@apache.org> on 2021/07/24 09:21:12 UTC
CVE-2021-33900: Apache Directory Studio: StartTLS and SASL
confidentiality protection bypass
Severity: high
Description:
While investigating DIRSTUDIO-1219 it was noticed that configured
StartTLS encryption was not applied when any SASL authentication
mechanism (DIGEST-MD5, GSSAPI) was used. While investigating
DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality
layer was not applied. This issue affects Apache Directory Studio
version 2.0.0.v20210213-M16 and prior versions.
Mitigation:
This issue was fixed in 2.0.0.v20210717-M17. All users using SASL are
recommended to upgrade to Apache Directory Studio 2.0.0.v20210717-M17.
Credit:
Apache Directory would like to thank Hugh Cole-Baker for reporting this
issue.