oss-sec mailing list archives

CVE Request: SASL authentication allows wrong credentials to access memcache

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 30 Dec 2013 08:17:26 +0100

Hi

From upstream release notes for 1.4.17[1] it states "The other notable

bug is a SASL authentication bypass glitch. If a client makes an
invalid request with SASL credentials, it will initially fail. However
if you issue a second request with bad SASL credentials, it will
authenticate. This has now been fixed.".

The upstream bugreport is at [2], with the corresponding commit fixing
this issue at [3].

 [1] https://code.google.com/p/memcached/wiki/ReleaseNotes1417
 [2] https://code.google.com/p/memcached/issues/detail?id=316
 [3] https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32

Could a CVE be assigned to this issue?

Regards, and thanks in advance

Salvatore

Current thread:

CVE Request: SASL authentication allows wrong credentials to access memcache Salvatore Bonaccorso (Dec 29)
- Re: CVE Request: SASL authentication allows wrong credentials to access memcache cve-assign (Dec 30)