Moderate severityNVD Advisory· Published Mar 1, 2013· Updated Apr 29, 2026
CVE-2012-5604
CVE-2012-5604
Description
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ldap_fluffRubyGems | < 0.4.0 | 0.4.0 |
Affected products
1- cpe:2.3:a:redhat:cloudforms:1.1:*:*:*:*:*:*:*
Patches
1e4c90a522275Protect against passwordless auth in ldap
1 file changed · +6 −1
lib/ldap_fluff/ldap_fluff.rb+6 −1 modified@@ -23,7 +23,12 @@ def initialize(config=nil) # return true if the user password combination # authenticates the user, otherwise false def authenticate?(uid, password) - @ldap.bind? uid, password + if password.nil? || password.empty? + # protect against passwordless auth from ldap server + return false + else + @ldap.bind? uid, password + end end # return a list[] of groups for a given uid
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- rhn.redhat.com/errata/RHSA-2013-0544.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-9whh-582r-589hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5604ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/theforeman/ldap_fluff/commit/e4c90a522275aeaa48ca9982ce75597f0954af48ghsaWEB
News mentions
0No linked articles in our index yet.