PT-2022-3278 · Unknown · Ldap Account Manager

Arseniy Sharoglazov

Published

2022-06-16

Updated

2022-07-15

CVE-2022-31088

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Name of the Vulnerable Software and Affected Versions LDAP Account Manager versions prior to 8.0

Description The issue exists due to the lack of neutralization of special elements in the LDAP Account Manager web application, allowing a remote attacker to use the username field to enumerate LDAP data. This is only possible in configurations that use LDAP search.

Recommendations For versions prior to 8.0, update to version 8.0 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation. Avoid using the username field in the affected login endpoint until the issue is resolved.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

BDU:2022-04002

CVE-2022-31088

DSA-5177-1

GHSA-WXF8-9X99-6GP4

Affected Products

Ldap Account Manager

PT-2022-3278 · Unknown · Ldap Account Manager

CVE-2022-31088

Weakness Enumeration

Related Identifiers

Affected Products

References · 17