Apache Directory security advisories
Security information for Apache Directory
Reporting
Do you want disclose a potential security issue for Apache Directory? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Kerberos Pre-Authentication Bypass
CVE-2026-57915 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-26T12:09:53.178Z
Affected
- Apache Kerby before 2.1.2
Description
It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
References
StackOverflow on parsing deeply nested ASN1 structures
CVE-2026-57914 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-26T11:28:25.784Z
Affected
- Apache Kerby before 2.1.2
Description
By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it’s possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.
References
LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname
CVE-2026-35563 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-01T07:38:34.650Z
Affected
- Apache Directory LDAP API from 2.0.0 through 2.1.7
Description
It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise.
References
Credits
- Rafał Łykowski and Łukasz Kollbek of Qualtrics (finder)
LDAP Injection Vulnerability in Apache Kerby
CVE-2023-25613 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-18T09:14:01.669Z
Affected
- Apache Kerby LDAP Backend before 2.0.3
Description
An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.
References
Credits
- 4ra1n of Chaitin Tech (finder)
StartTLS and SASL confidentiality protection bypass
CVE-2021-33900 [CVE] [CVE json] [OSV json]
Last updated: 2021-07-26T07:00:11.196Z
Affected
- Apache Directory Studio from unspecified through 2.0.0.v20210213-M16
Description
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.
References
Credits
- Apache Directory would like to thank Hugh Cole-Baker for reporting this issue.