CVE-2024-23333 Affecting ldap-account-manager package, versions <8.7-1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN13-LDAPACCOUNTMANAGER-6466820
- published20 Mar 2024
- disclosed18 Mar 2024
Introduced: 18 Mar 2024
CVE-2024-23333 (opens in a new tab)How to fix?
Upgrade Debian:13 ldap-account-manager to version 8.7-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ldap-account-manager package and not the ldap-account-manager package as distributed by Debian.
See How to fix? for Debian:13 relevant fixed versions and status.
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.