Security Alert #1: LDAP Authentication Issue
Users and Customers running ArangoDB 3.2.17 or higher, 3.3.19 or higher, or 3.4.0-RC.3 or higher, are not affected by the issue described in this Security Alert.
This Security Alert only affects Users and Customers using LDAP to authenticate to ArangoDB (i.e. the ArangoDB option –ldap.enabled of your installation is set to true). If you are using the built-in, local ArangoDB authentication, you are not affected by the issue described below.
Issue Description
When ArangoDB is configured to use LDAP (–ldap.enabled is true), and under certain conditions, it might be possible to login into ArangoDB by passing a valid username (–server.username) and a blank password.
The root cause of this issue is linked to the fact that it is possible to configure an LDAP server to allow anonymous binds. These binds are done by specifying an empty password.
Issue Resolution
ArangoDB version 3.2.17 or higher, 3.3.19 or higher, and version 3.4.0-RC.3 or higher include a fix for the issue described in this Security Alert.
Additional Questions
In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.