Skip to content

Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames

High
chadlwilson published GHSA-x5v3-x9qj-mh3h Apr 9, 2022

Package

gocd-server

Affected versions

>= 17.5.0, < 22.1.0

Patched versions

22.1.0

Description

Impact

The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries.

While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms.

This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration.

Patches

Fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.

Workarounds

  • removing any authorization configurations for the bundled LDAP Authentication plugin
  • if running outside Docker/Helm, users on GoCD 20.9.0+ can manually upgrade the bundled plugin to v2.2.0-144
  • users on GoCD 20.9.0+ not able to upgrade to 22.1.0 can consider migrating their LDAP authorization configuration to the patched v4.2.0-73+ version of the LDAP Authorization Plugin, which supports both authentication and (optional) authorization to map to GoCD roles. This plugin was also subject to the same vulnerability in versions <=4.1.0, however since it is non-bundled, it is more easily user-upgraded.

References

For more information

If you have any questions or comments about this advisory:

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2022-24832

Weaknesses

Credits