Skip to content

bug(django): LDAP authentication without TLS #309

Description

@thejoeejoee

Description

In django/thesaurus/settings.py, LDAP is configured with LDAP_AUTH_USE_TLS = False. LDAP credentials (username + password) are sent in plaintext over the network, making them vulnerable to network sniffing.

Severity

High — credential exposure in transit.

Location

django/thesaurus/settings.pyLDAP_AUTH_USE_TLS

Fix

Set LDAP_AUTH_USE_TLS = True and configure the appropriate TLS certificate settings, or switch to LDAPS (port 636).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingimpact: highHigh impact — security or significant logic issuepythonPull requests that update Python codesecuritySecurity vulnerability

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions