8.1.0
CVE-2020-26214 describes an Authentication Bypass vulnerability in Alerta Server. This allows attackers to potentially bypass LDAP authentication by providing an empty password, particularly in environments where LDAP servers permit unauthenticated binds. The vulnerability affects versions of Alerta Server up to and including 8.0.3. A fix has been implemented in version 8.1.0.
The primary impact of CVE-2020-26214 is unauthorized access to the Alerta Server. An attacker who can bypass LDAP authentication can gain access to sensitive data and potentially compromise the entire system. This could involve modifying alert configurations, creating or deleting users, and disrupting monitoring operations. The vulnerability is particularly concerning because it leverages a misconfiguration on the LDAP server side, rather than a flaw within Alerta Server itself. Exploitation requires the LDAP server to be configured to allow unauthenticated binds, a common default setting on Active Directory installations.
CVE-2020-26214 was publicly disclosed on November 6, 2020. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, likely due to the requirement of a specific LDAP server configuration.
Organizations using Alerta Server for incident monitoring and alerting, particularly those relying on LDAP for authentication and using default Active Directory configurations, are at risk. Shared hosting environments where LDAP server configurations are managed centrally are also potentially vulnerable.
• python / server:
# Check Alerta Server version
alerta-server --version• python / server:
# Check LDAP configuration in alerta.yml for allow_empty_password
grep -r 'allow_empty_password' /etc/alerta/alerta.yml• generic web:
# Attempt authentication with an empty password and check for 401 Unauthorized
curl -u '' http://<alerta_server_ip>/auth/logindisclosure
漏洞利用状态
EPSS
89.46% (100% 百分位)
CVSS 向量
The primary mitigation for CVE-2020-26214 is to upgrade Alerta Server to version 8.1.0 or later, which includes a fix that returns an HTTP 401 Unauthorized response for empty password authentication attempts. If upgrading is not immediately feasible, LDAP administrators can implement a workaround by disallowing unauthenticated bind requests from clients. This can be configured within the LDAP server itself. Monitor LDAP logs for unusual authentication attempts, particularly those with empty passwords. After upgrading, confirm the fix by attempting authentication with an empty password and verifying that it results in a 401 Unauthorized response.
升级 Alerta 到 8.1.0 或更高版本。 另外,LDAP 管理员可以在 LDAP 服务器配置中禁用客户端的未身份验证绑定请求。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-26214 is a critical vulnerability in Alerta Server versions up to 8.0.3 that allows attackers to bypass LDAP authentication by providing an empty password if the LDAP server permits unauthenticated binds.
You are affected if you are using Alerta Server version 8.0.3 or earlier and your LDAP server allows unauthenticated bind requests.
Upgrade Alerta Server to version 8.1.0 or later. Alternatively, configure your LDAP server to disallow unauthenticated bind requests.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-26214.
Refer to the Alerta GitHub pull request for details: https://github.com/alerta/alerta/pull/1345
上传你的 requirements.txt 文件,立即知道是否受影响。