SQL Injection Affecting openldap package, versions <2.4.47+dfsg-3+deb10u7


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High
Expand this section
NVD
9.8 critical
Expand this section
SUSE
9.4 critical
Expand this section
Red Hat
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN10-OPENLDAP-2808412
  • published 5 May 2022
  • disclosed 4 May 2022

How to fix?

Upgrade Debian:10 openldap to version 2.4.47+dfsg-3+deb10u7 or higher.

NVD Description

Note: Versions mentioned in the description apply to the upstream openldap package. See How to fix? for Debian:10 relevant versions.

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.