Platform
python
Component
alerta-server
Fixed in
8.1.1
8.1.0
CVE-2020-26214 describes an Authentication Bypass vulnerability in Alerta Server. This allows attackers to potentially bypass LDAP authentication by providing an empty password, particularly in environments where LDAP servers permit unauthenticated binds. The vulnerability affects versions of Alerta Server up to and including 8.0.3. A fix has been implemented in version 8.1.0.
The primary impact of CVE-2020-26214 is unauthorized access to the Alerta Server. An attacker who can bypass LDAP authentication can gain access to sensitive data and potentially compromise the entire system. This could involve modifying alert configurations, creating or deleting users, and disrupting monitoring operations. The vulnerability is particularly concerning because it leverages a misconfiguration on the LDAP server side, rather than a flaw within Alerta Server itself. Exploitation requires the LDAP server to be configured to allow unauthenticated binds, a common default setting on Active Directory installations.
CVE-2020-26214 was publicly disclosed on November 6, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, likely due to the requirement of a specific LDAP server configuration.
Exploit Status
EPSS
89.46% (100% percentile)
CVSS Vector
The primary mitigation for CVE-2020-26214 is to upgrade Alerta Server to version 8.1.0 or later, which includes a fix that returns an HTTP 401 Unauthorized response for empty password authentication attempts. If upgrading is not immediately feasible, LDAP administrators can implement a workaround by disallowing unauthenticated bind requests from clients. This can be configured within the LDAP server itself. Monitor LDAP logs for unusual authentication attempts, particularly those with empty passwords. After upgrading, confirm the fix by attempting authentication with an empty password and verifying that it results in a 401 Unauthorized response.
Update Alerta to version 8.1.0 or higher. Alternatively, LDAP administrators can disable unauthenticated bind requests by clients in the LDAP server configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-26214 is a critical vulnerability in Alerta Server versions up to 8.0.3 that allows attackers to bypass LDAP authentication by providing an empty password if the LDAP server permits unauthenticated binds.
You are affected if you are using Alerta Server version 8.0.3 or earlier and your LDAP server allows unauthenticated bind requests.
Upgrade Alerta Server to version 8.1.0 or later. Alternatively, configure your LDAP server to disallow unauthenticated bind requests.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-26214.
Refer to the Alerta GitHub pull request for details: https://github.com/alerta/alerta/pull/1345
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.