LDAP Injection Affecting github.com/stevenweathers/thunderdome-planning-poker package, versions <1.16.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-GOLANG-GITHUBCOMSTEVENWEATHERSTHUNDERDOMEPLANNINGPOKER-1910079
- published 3 Nov 2021
- disclosed 3 Nov 2021
- credit Unknown
How to fix?
github.com/StevenWeathers/thunderdome-planning-poker to version 1.16.3 or higher.
github.com/StevenWeathers/thunderdome-planning-poker is an open source agile planning poker tool in the theme of Battling for points that helps teams estimate stories.
Affected versions of this package are vulnerable to LDAP Injection via the
ldap.NewSearchRequest function, which doesn't escape special characters in the
UserName variable supplied as an argument to the
fmt.Sprintf function, allowing for LDAP injection.