New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Injection #5426
Comments
|
Thank you for reporting this and sorry that you didn't get a reply. I will try to check if we can recover the original email and whether we have an issue with the security@ mailbox. As for the issue: while it's true that the search operator is open to injection, I'm not sure what the attacker might achieve using the injection? I might be misunderstanding something about LDAP, so maybe my question is dumb. redash/redash/authentication/ldap_auth.py Lines 71 to 98 in 0560e24
The way I understand the LDAP authentication function, it does:
If I make an injection, the most that can happen is that I will try to login as a different user. At this point I need to provide the user's password. If I know the other user's password, I might as well provide their email address - why do I need to make an injection? |
|
Thank you for the reply, there's no problem from my side regarding the email issue, since the vulnerability is not critical. Regarding your question, an attacker may exfiltrate the attributes assigned in Having two accounts: This issue may arise if Regarding the CVE description and the impact of the vulnerability, you are totally right, an authentication bypass will never occur (description change already requested), but since the repository is in active development, a fix would prevent more vulnerabilities on this side. When it comes to patching, I suggest using what this comment suggests. |
|
Closing as it seems to be a |
I've tried to contact the security team through
security@redash.iobut had no response. I'm attaching the CVE contents for a proper fix.Suggested description
VulnerabilityType Other
Affected Component
Attack Type
Impact Information Disclosure
Attack Vectors
Reference
The text was updated successfully, but these errors were encountered: