PT-2022-2707 · Openldap+6 · Openldap+6

Jacek Konieczny

Published

2022-03-23

Updated

2025-03-26

CVE-2022-29155

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions OpenLDAP versions 2.x prior to 2.5.12 OpenLDAP versions 2.6.x prior to 2.6.2

Description The issue is related to a SQL injection vulnerability in the experimental back-sql backend to slapd. This vulnerability can be exploited when a specially crafted SQL statement is included within an LDAP query, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs due to a lack of proper escaping during an LDAP search operation when the search filter is processed.

Recommendations For OpenLDAP versions 2.x prior to 2.5.12, update to version 2.5.12 or later. For OpenLDAP versions 2.6.x prior to 2.6.2, update to version 2.6.2 or later. As a temporary workaround, consider restricting access to the back-sql backend to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2022-2606

ALT-PU-2023-2063

ALT-PU-2023-6417

AZL-9672

BDU:2022-03203

BIT-OPENLDAP-2022-29155

CVE-2022-29155

DLA-3017-1

DSA-5140-1

MGASA-2022-0205

OESA-2022-1654

OPENSUSE-SU-2022_1670-1

SUSE-SU-2022:1670-1

SUSE-SU-2022:1671-1

SUSE-SU-2022:1685-1

SUSE-SU-2022:1771-1

SUSE-SU-2022:1832-1

SUSE-SU-2022_1670-1

SUSE-SU-2022_1671-1

SUSE-SU-2022_1685-1

SUSE-SU-2022_1771-1

SUSE-SU-2022_1832-1

USN-5424-1

USN-5424-2

Affected Products

Alt Linux

Astra Linux

Linuxmint

Openldap

Red Os

Suse

Ubuntu

PT-2022-2707 · Openldap+6 · Openldap+6

CVE-2022-29155

Weakness Enumeration

Related Identifiers

Affected Products

References · 63