Arbitrary Argument Injection Affecting ldap-account-manager package, versions <8.0.1-1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1.64% (89th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIANUNSTABLE-LDAPACCOUNTMANAGER-2936733
  • published29 Jun 2022
  • disclosed27 Jun 2022

Introduced: 27 Jun 2022

CVE-2022-31084  (opens in a new tab)
CWE-88  (opens in a new tab)

How to fix?

Upgrade Debian:unstable ldap-account-manager to version 8.0.1-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ldap-account-manager package and not the ldap-account-manager package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.

CVSS Scores

version 3.1