Skip to content

Unauthenticated LDAP Injection

Moderate
gruberroland published GHSA-wxf8-9x99-6gp4 Jun 27, 2022

Package

ldap-account-manager (none)

Affected versions

< 8.0

Patched versions

8.0

Description

Impact

The user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration.

Patches

The issue is fixed in version 8.0.

Workarounds

Allow admin access via fixed list instead of LDAP search.

For more information

If you have any questions or comments about this advisory:

Credits

Arseniy Sharoglazov

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVE ID

CVE-2022-31088

Weaknesses

No CWEs