LDAP Injection Affecting github.com/stevenweathers/thunderdome-planning-poker package, versions <1.16.3
Snyk CVSS
Attack Complexity
High
Scope
Changed
Confidentiality
High
Threat Intelligence
EPSS
0.21% (58th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMSTEVENWEATHERSTHUNDERDOMEPLANNINGPOKER-1910079
- published 3 Nov 2021
- disclosed 3 Nov 2021
- credit Unknown
Introduced: 3 Nov 2021
CVE-2021-41232 Open this link in a new tabHow to fix?
Upgrade github.com/StevenWeathers/thunderdome-planning-poker to version 1.16.3 or higher.
Overview
github.com/StevenWeathers/thunderdome-planning-poker is an open source agile planning poker tool in the theme of Battling for points that helps teams estimate stories.
Affected versions of this package are vulnerable to LDAP Injection via the ldap.NewSearchRequest function, which doesn't escape special characters in the UserName variable supplied as an argument to the fmt.Sprintf function, allowing for LDAP injection.