high
7.5
CWE
319 311
Advisory Published
Updated

CVE-2021-33900: StartTLS and SASL confidentiality protection bypass

First published: Mon Jul 26 2021(Updated: )

While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

Credit: security@apache.org

Affected SoftwareAffected VersionHow to fix
Apache Directory Studio<=1.5.3
Apache Directory Studio=2.0.0-milestone1
Apache Directory Studio=2.0.0-milestone10
Apache Directory Studio=2.0.0-milestone11
Apache Directory Studio=2.0.0-milestone12
Apache Directory Studio=2.0.0-milestone13
Apache Directory Studio=2.0.0-milestone14
Apache Directory Studio=2.0.0-milestone15
Apache Directory Studio=2.0.0-milestone16
Apache Directory Studio=2.0.0-milestone2
Apache Directory Studio=2.0.0-milestone3
Apache Directory Studio=2.0.0-milestone4
Apache Directory Studio=2.0.0-milestone5
Apache Directory Studio=2.0.0-milestone6
Apache Directory Studio=2.0.0-milestone7
Apache Directory Studio=2.0.0-milestone8
Apache Directory Studio=2.0.0-milestone9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2021-33900?

    The severity of CVE-2021-33900 is classified as Medium due to the lack of StartTLS encryption during SASL authentication.

  • How do I fix CVE-2021-33900?

    To fix CVE-2021-33900, you should upgrade to a non-vulnerable version of Apache Directory Studio that correctly implements StartTLS for SASL mechanisms.

  • Which versions of Apache Directory Studio are affected by CVE-2021-33900?

    CVE-2021-33900 affects Apache Directory Studio versions up to 1.5.3 and all milestone releases of version 2.0.0.

  • What happens if I am using an affected version of Apache Directory Studio with CVE-2021-33900?

    Using an affected version may expose sensitive data over the network, as it does not enforce encryption during SASL authentication.

  • Is there a workaround for CVE-2021-33900?

    Currently, the recommended action is to upgrade to the latest version of Apache Directory Studio, as there is no documented workaround for this vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203