java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind
Community Favorite
semgrepAuthor
73,396
Download Count*
License
Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.
Run Locally
Run in CI
Defintion
rules:
- id: anonymous-ldap-bind
metadata:
cwe:
- "CWE-287: Improper Authentication"
owasp:
- A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS
category: security
technology:
- java
references:
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
message: Detected anonymous LDAP bind. This permits anonymous users to execute
LDAP statements. Consider enforcing authentication for LDAP. See
https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more
information.
severity: WARNING
pattern: |
$ENV.put($CTX.SECURITY_AUTHENTICATION, "none");
...
$DCTX = new InitialDirContext($ENV, ...);
languages:
- java
Examples
anonymous-ldap-bind.java
public class Cls {
public void ldapBind(Environment env) {
// ruleid:anonymous-ldap-bind
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
}
public void ldapBindSafe(Environment env) {
env.put(Context.SECURITY_AUTHENTICATION, "simple");
DirContext ctx = new InitialDirContext(env);
}
}
Short Link: https://sg.run/jR6A