Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733114 (CVE-2020-15813) - <app-admin/graylog-3.3.3: LDAP Authentication Bypass (CVE-2020-15813)
Summary: <app-admin/graylog-3.3.3: LDAP Authentication Bypass (CVE-2020-15813)
Alias: CVE-2020-15813
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa cve]
Keywords: PullRequest
Depends on:
Reported: 2020-07-18 03:35 UTC by John Helmert III (ajak)
Modified: 2020-08-06 17:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2020-07-18 03:35:17 UTC

Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a Graylog server and an LDAP server is able to redirect traffic to a different LDAP server (unnoticed by the Graylog server due to the lack of certificate validation), effectively bypassing Graylog's authentication mechanism.

Upstream issue has a fix in the 3.3.3 milestone (URL). PR (appears potentially unfinished):
Comment 1 Larry the Git Cow gentoo-dev 2020-08-06 16:09:19 UTC
The bug has been referenced in the following commit(s):

commit f22752d5c89481ddb1eda81cef7632ab4bcb217d
Author:     Tomáš Mózes <>
AuthorDate: 2020-08-05 09:02:55 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-08-06 16:09:13 +0000

    app-admin/graylog: drop vulnerable
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Thomas Deutschmann <>

 app-admin/graylog/Manifest             |  2 -
 app-admin/graylog/graylog-3.3.1.ebuild | 83 ----------------------------------
 app-admin/graylog/graylog-3.3.2.ebuild | 83 ----------------------------------
 3 files changed, 168 deletions(-)

commit 6ba778ceecf5cd87d8f90c931e891cdff644564a
Author:     Tomáš Mózes <>
AuthorDate: 2020-08-05 09:02:12 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-08-06 16:09:12 +0000

    app-admin/graylog: bump to 3.3.3
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Thomas Deutschmann <>

 app-admin/graylog/Manifest             |  1 +
 app-admin/graylog/graylog-3.3.3.ebuild | 83 ++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-08-06 17:03:48 UTC