LDAP Injection Affecting github.com/stevenweathers/thunderdome-planning-poker package, versions <1.16.3


0.0
high

Snyk CVSS

    Attack Complexity High
    Scope Changed
    Confidentiality High

    Threat Intelligence

    EPSS 0.21% (58th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMSTEVENWEATHERSTHUNDERDOMEPLANNINGPOKER-1910079
  • published 3 Nov 2021
  • disclosed 3 Nov 2021
  • credit Unknown

How to fix?

Upgrade github.com/StevenWeathers/thunderdome-planning-poker to version 1.16.3 or higher.

Overview

github.com/StevenWeathers/thunderdome-planning-poker is an open source agile planning poker tool in the theme of Battling for points that helps teams estimate stories.

Affected versions of this package are vulnerable to LDAP Injection via the ldap.NewSearchRequest function, which doesn't escape special characters in the UserName variable supplied as an argument to the fmt.Sprintf function, allowing for LDAP injection.

References