CVE-2020-36144

Name of the Vulnerable Software and Affected Versions: Redash version 8.0.0

Description: The issue is related to LDAP Injection, allowing for authentication bypass and information leak through specially crafted queries. This is due to the lack of sanitization in the username included in the search filter. The vulnerable code uses the auth ldap user function with username and password parameters, and the LDAP SEARCH TEMPLATE setting is formatted with the username variable, which lacks proper sanitization.

Recommendations: For Redash version 8.0.0, ensure proper sanitization of the username variable in the LDAP SEARCH TEMPLATE setting to prevent LDAP Injection attacks. As a temporary workaround, consider restricting access to the LDAP authentication mechanism until a patch is available.