LDAP Injection Affecting github.com/stevenweathers/thunderdome-planning-poker package, versions <1.16.3


0.0
high
  • Attack Complexity

    High

  • Scope

    Changed

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMSTEVENWEATHERSTHUNDERDOMEPLANNINGPOKER-1910079

  • published

    3 Nov 2021

  • disclosed

    3 Nov 2021

  • credit

    Unknown

How to fix?

Upgrade github.com/StevenWeathers/thunderdome-planning-poker to version 1.16.3 or higher.

Overview

github.com/StevenWeathers/thunderdome-planning-poker is an open source agile planning poker tool in the theme of Battling for points that helps teams estimate stories.

Affected versions of this package are vulnerable to LDAP Injection via the ldap.NewSearchRequest function, which doesn't escape special characters in the UserName variable supplied as an argument to the fmt.Sprintf function, allowing for LDAP injection.

References