CVE-2022-45910

Name of the Vulnerable Software and Affected Versions Apache ManifoldCF versions 2.23 and prior versions

Description The issue is related to improper neutralization of special elements used in an LDAP query, also known as 'LDAP Injection'. This allows an attacker to manipulate the LDAP search queries, potentially leading to denial of service (DoS), execution of additional queries, or filter manipulation during user lookup. The vulnerability occurs when the username or the domain string are passed to the UserACLs servlet without validation in the ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF.

Recommendations For Apache ManifoldCF versions 2.23 and prior, update to a version that includes the fix for this issue. As a temporary workaround, consider validating the username and domain string before passing them to the UserACLs servlet to prevent LDAP injection attacks. Restrict access to the UserACLs servlet to minimize the risk of exploitation.