CVE-2022-31085

Name of the Vulnerable Software and Affected Versions LDAP Account Manager versions prior to 8.0

Description The issue is related to the lack of protection for confidential information in the LDAP Account Manager web application. Exploitation of this issue may allow an attacker to obtain LDAP authentication credentials. The problem arises when the PHP OpenSSL extension is not installed or encryption is disabled by configuration, causing session files to include the LDAP user name and password in clear text.

Recommendations For versions prior to 8.0, install the PHP OpenSSL extension and ensure session encryption is enabled in the LAM main configuration. For versions prior to 8.0 where an upgrade is not possible, install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. Upgrade to version 8.0 or later to resolve the issue.