Vulnerability Description
Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Barracuda | Load Balancer Adc Firmware | <= 6.4 |
| Barracuda | Load Balancer Adc | - |
Related Weaknesses (CWE)
References
- https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-expoExploitThird Party Advisory
- https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-expoExploitThird Party Advisory
FAQ
What is CVE-2019-5648?
CVE-2019-5648 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to...
How severe is CVE-2019-5648?
CVE-2019-5648 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-5648?
Check the references section above for vendor advisories and patch information. Affected products include: Barracuda Load Balancer Adc Firmware, Barracuda Load Balancer Adc.