LDAP Server NULL Bind Connection Information Disclosure

medium Nessus Plugin ID 10723


The remote LDAP server allows anonymous access.


The LDAP server on the remote host is currently configured such that a user can connect to it without authentication - via a 'NULL BIND' - and query it for information. Although the queries that are allowed are likely to be fairly restricted, this may result in disclosure of information that an attacker could find useful.

This plugin does not identify servers that use LDAP v3 since anonymous access -- a 'NULL BIND' -- is required by that version of the protocol.


Configure the service to disallow NULL BINDs.

Plugin Details

Severity: Medium

ID: 10723

File Name: ldap_null_bind.nasl

Version: 1.39

Type: remote

Family: Misc.

Published: 8/13/2001

Updated: 8/28/2023

Risk Information

CVSS Score Rationale: Score based on potential information disclosure.


Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: manual


Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

Vulnerability Publication Date: 3/15/1999