The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| zendframework/zendframework(Packagist) | 2.0.0 | 2.0.99 | N/A |
| zendframework/zendframework(Packagist) | 2.1.0 | 2.1.99 | N/A |
| zendframework/zendframework(Packagist) | 2.2.0 | 2.2.8 | N/A |
| zendframework/zendframework(Packagist) | 2.3.0 | 2.3.3 | N/A |
| zendframework/zendframework1(Packagist) | 1.12.0 | 1.12.9 | N/A |
CVSS Metrics
