Arbitrary Code Injection Affecting ldap-account-manager package, versions <8.0.1-1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.19% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN12-LDAPACCOUNTMANAGER-2936726
  • published29 Jun 2022
  • disclosed27 Jun 2022

Introduced: 27 Jun 2022

CVE-2022-31088  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

Upgrade Debian:12 ldap-account-manager to version 8.0.1-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ldap-account-manager package and not the ldap-account-manager package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0.

CVSS Scores

version 3.1