CVE-2022-31088
Unauthenticated LDAP Injection in ldap-account-manager
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0.
LDAP Account Manager (LAM) es una interfaz web para administrar entradas (por ejemplo, usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. En versiones anteriores a 8.0, el campo del nombre de usuario en el inicio de sesión podía usarse para enumerar los datos LDAP. Este es el caso sólo de la configuración de búsqueda LDAP. Este problema ha sido corregido en versión 8.0
Arseniy Sharoglazov discovered multiple security issues in LDAP Account Manager (LAM), a web frontend for managing accounts in an LDAP directory, which could result in information disclosure or unauthenticated remote code execution.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-05-18 CVE Reserved
- 2022-06-27 CVE Published
- 2025-04-23 CVE Updated
- 2025-04-23 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-wxf8-9x99-6gp4 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 | 2022-07-07 |
URL | Date | SRC |
---|---|---|
https://www.debian.org/security/2022/dsa-5177 | 2022-07-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ldap-account-manager Search vendor "Ldap-account-manager" | Ldap Account Manager Search vendor "Ldap-account-manager" for product "Ldap Account Manager" | < 8.0 Search vendor "Ldap-account-manager" for product "Ldap Account Manager" and version " < 8.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
|