Skip to content

Unauthenticated Arbitrary Object Instantiation / Unauthenticated Remote Code Execution

High
gruberroland published GHSA-r387-grjx-qgvw Jun 27, 2022

Package

ldap-account-manager (none)

Affected versions

< 8.0

Patched versions

8.0

Description

Impact

There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument.
This can lead to code execution if non-LAM classes are instantiated that execute code during object creation.

Patches

The issue is fixed in version 8.0.

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Credits

Arseniy Sharoglazov

Severity

High
8.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H

CVE ID

CVE-2022-31084

Weaknesses

No CWEs