Insufficiently Protected Credentials Affecting ldap-account-manager package, versions <8.0.1-0+deb11u1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.15% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN11-LDAPACCOUNTMANAGER-2936745
  • published29 Jun 2022
  • disclosed27 Jun 2022

Introduced: 27 Jun 2022

CVE-2022-31085  (opens in a new tab)
CWE-522  (opens in a new tab)

How to fix?

Upgrade Debian:11 ldap-account-manager to version 8.0.1-0+deb11u1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ldap-account-manager package and not the ldap-account-manager package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.

CVSS Scores

version 3.1