Apache Directory security advisories

Security information for Apache Directory

Reporting

Do you want disclose a potential security issue for Apache Directory? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Kerberos Pre-Authentication Bypass

CVE-2026-57915 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-26T12:09:53.178Z

Affected

  • Apache Kerby before 2.1.2

Description

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

References

StackOverflow on parsing deeply nested ASN1 structures

CVE-2026-57914 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-26T11:28:25.784Z

Affected

  • Apache Kerby before 2.1.2

Description

By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it’s possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

References

LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname

CVE-2026-35563 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-01T07:38:34.650Z

Affected

  • Apache Directory LDAP API from 2.0.0 through 2.1.7

Description

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise.


The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation.

The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client’s configured trust store.

The hostname verification has been enforced in the new version of the LDAP API

References

Credits

  • Rafał Łykowski and Łukasz Kollbek of Qualtrics (finder)

LDAP Injection Vulnerability in Apache Kerby

CVE-2023-25613 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-18T09:14:01.669Z

Affected

  • Apache Kerby LDAP Backend before 2.0.3

Description

An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. 

References

Credits

  • 4ra1n of Chaitin Tech (finder)

StartTLS and SASL confidentiality protection bypass

CVE-2021-33900 [CVE] [CVE json] [OSV json]

Last updated: 2021-07-26T07:00:11.196Z

Affected

  • Apache Directory Studio from unspecified through 2.0.0.v20210213-M16

Description

While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

References

Credits

  • Apache Directory would like to thank Hugh Cole-Baker for reporting this issue.