Common Weakness Enumeration

CWE-90

Allowed

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

114 vulnerabilities reference this CWE, most recent first.

GHSA-CMM2-4Q45-JPGH

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2024-05-23 18:30
VLAI
Details

MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-06T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a \"linkdn\" and \"containerdn\" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.",
  "id": "GHSA-cmm2-4q45-jpgh",
  "modified": "2024-05-23T18:30:52Z",
  "published": "2022-05-13T01:02:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/krb5/krb5/commit/e1caf6fb74981da62039846931ebdffed71309d1"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2019:0327"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3071"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891869"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1551082"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GK5T6JPMBHBPKS7HNGHYUUF4KKRMNSNU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIFUL3CPM4S5TOXTTOCQ3CUZN6XCXUTR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GK5T6JPMBHBPKS7HNGHYUUF4KKRMNSNU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIFUL3CPM4S5TOXTTOCQ3CUZN6XCXUTR"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQH3-JG8P-336J

Vulnerability from github – Published: 2026-05-26 23:39 – Updated: 2026-06-11 14:05
VLAI
Summary
Yamcs Vulnerable to LDAP Injection in LdapAuthModule
Details

Summary

An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233

The username parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:

// VULNERABLE
var filter = userFilter.replace("{0}", username);
var searchResult = getSingleResult(ctx, userBase, filter, controls);

LDAP wildcard characters (*, (, )) are accepted without sanitization.

Impact

With a known valid password, username=* authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.

This affects deployments that use org.yamcs.security.LdapAuthModule in their etc/security.yaml configuration file.

Proof of Concept

curl -X POST "http://TARGET:8090/auth/token" \
  -d "grant_type=password&username=*&password=known_password"
# Returns token for first matching LDAP user

Fix

Apply RFC 4515 escaping before filter construction:

private static String escapeLdapFilter(String input) {
    return input
        .replace("\\", "\\5c")
        .replace("*",  "\\2a")
        .replace("(",  "\\28")
        .replace(")",  "\\29")
        .replace("\0", "\\00");
}
var filter = userFilter.replace("{0}", escapeLdapFilter(username));
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.yamcs:yamcs-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T23:39:55Z",
    "nvd_published_at": "2026-06-10T23:16:46Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.\n\n### Root Cause\n\n**File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233`\n\nThe `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:\n\n```java\n// VULNERABLE\nvar filter = userFilter.replace(\"{0}\", username);\nvar searchResult = getSingleResult(ctx, userBase, filter, controls);\n```\n\nLDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization.\n\n### Impact\n\nWith a known valid password, `username=*` authenticates as the first user returned by the LDAP search \u2014 enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.\n\nThis affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file.\n\n### Proof of Concept\n\n```bash\ncurl -X POST \"http://TARGET:8090/auth/token\" \\\n  -d \"grant_type=password\u0026username=*\u0026password=known_password\"\n# Returns token for first matching LDAP user\n```\n\n### Fix\n\nApply RFC 4515 escaping before filter construction:\n\n```java\nprivate static String escapeLdapFilter(String input) {\n    return input\n        .replace(\"\\\\\", \"\\\\5c\")\n        .replace(\"*\",  \"\\\\2a\")\n        .replace(\"(\",  \"\\\\28\")\n        .replace(\")\",  \"\\\\29\")\n        .replace(\"\\0\", \"\\\\00\");\n}\nvar filter = userFilter.replace(\"{0}\", escapeLdapFilter(username));\n```",
  "id": "GHSA-cqh3-jg8p-336j",
  "modified": "2026-06-11T14:05:22Z",
  "published": "2026-05-26T23:39:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yamcs/yamcs/security/advisories/GHSA-cqh3-jg8p-336j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42568"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yamcs/yamcs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yamcs/yamcs/releases/tag/yamcs-5.12.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yamcs/yamcs/releases/tag/yamcs-5.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Yamcs Vulnerable to LDAP Injection in LdapAuthModule"
}

GHSA-CVF4-F829-762V

Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 23:10
VLAI
Summary
pgAdmin is affected by an LDAP injection vulnerability
Details

pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pgadmin4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-12764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T23:10:38Z",
    "nvd_published_at": "2025-11-13T13:15:44Z",
    "severity": "HIGH"
  },
  "details": "pgAdmin \u003c= 9.9\u00a0is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS.",
  "id": "GHSA-cvf4-f829-762v",
  "modified": "2025-11-13T23:10:39Z",
  "published": "2025-11-13T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/9325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/commit/09d2b7eeb0e330df73b1aef0cba57788fde52b6b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pgadmin-org/pgadmin4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pgAdmin is affected by an LDAP injection vulnerability"
}

GHSA-F786-73F3-CVMC

Vulnerability from github – Published: 2023-12-18 00:30 – Updated: 2023-12-18 00:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. This issue affects some unknown processing of the file user,adap.jsp?actionFlag=test&id=1 of the component Bind Request Handler. The manipulation leads to ldap injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-248267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-18T00:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. This issue affects some unknown processing of the file user,adap.jsp?actionFlag=test\u0026id=1 of the component Bind Request Handler. The manipulation leads to ldap injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-248267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-f786-73f3-cvmc",
  "modified": "2023-12-18T00:30:23Z",
  "published": "2023-12-18T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6905"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.248267"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.248267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G283-W6FP-C4FC

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 16:59
VLAI
Summary
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability
Details

Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow-providers-fab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T16:59:52Z",
    "nvd_published_at": "2026-05-25T11:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.",
  "id": "GHSA-g283-w6fp-c4fc",
  "modified": "2026-06-30T16:59:52Z",
  "published": "2026-05-26T13:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46745"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/pull/66417"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/airflow/commit/3f7756bea71a7c7988511ec0557314ffb15fbe5e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/24/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability"
}

GHSA-GMRW-VH4Q-4FVV

Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30
VLAI
Details

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T22:16:01Z",
    "severity": "HIGH"
  },
  "details": "WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.",
  "id": "GHSA-gmrw-vh4q-4fvv",
  "modified": "2026-02-11T00:30:14Z",
  "published": "2026-02-08T00:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25560"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb"
    },
    {
      "type": "WEB",
      "url": "https://wekan.fi"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GX55-P8G7-P3FH

Vulnerability from github – Published: 2026-06-24 15:31 – Updated: 2026-06-24 15:31
VLAI
Details

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T14:17:35Z",
    "severity": "LOW"
  },
  "details": "Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.",
  "id": "GHSA-gx55-p8g7-p3fh",
  "modified": "2026-06-24T15:31:47Z",
  "published": "2026-06-24T15:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57288"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H47X-56Q8-MW44

Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32
VLAI
Details

An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T08:16:21Z",
    "severity": "MODERATE"
  },
  "details": "An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.",
  "id": "GHSA-h47x-56q8-mw44",
  "modified": "2026-05-21T09:32:10Z",
  "published": "2026-05-21T09:32:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44063"
    },
    {
      "type": "WEB",
      "url": "https://netatalk.io/security/CVE-2026-44063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H54R-MF9P-GJ9P

Vulnerability from github – Published: 2024-01-12 21:30 – Updated: 2024-01-12 21:30
VLAI
Details

NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. A successful exploit of this vulnerability may lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. A successful exploit of this vulnerability may lead to information disclosure.",
  "id": "GHSA-h54r-mf9p-gj9p",
  "modified": "2024-01-12T21:30:19Z",
  "published": "2024-01-12T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31025"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4FH-PF6M-QQ74

Vulnerability from github – Published: 2023-01-07 18:30 – Updated: 2023-01-12 21:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in hydrian TTRSS-Auth-LDAP. Affected by this issue is some unknown functionality of the component Username Handler. The manipulation leads to ldap injection. Upgrading to version 2.0b1 is able to address this issue. The name of the patch is a7f7a5a82d9202a5c40d606a5c519ba61b224eb8. It is recommended to upgrade the affected component. VDB-217622 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-90"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-07T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in hydrian TTRSS-Auth-LDAP. Affected by this issue is some unknown functionality of the component Username Handler. The manipulation leads to ldap injection. Upgrading to version 2.0b1 is able to address this issue. The name of the patch is a7f7a5a82d9202a5c40d606a5c519ba61b224eb8. It is recommended to upgrade the affected component. VDB-217622 is the identifier assigned to this vulnerability.",
  "id": "GHSA-p4fh-pf6m-qq74",
  "modified": "2023-01-12T21:30:29Z",
  "published": "2023-01-07T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10027"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydrian/TTRSS-Auth-LDAP/pull/14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydrian/TTRSS-Auth-LDAP/commit/a7f7a5a82d9202a5c40d606a5c519ba61b224eb8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydrian/TTRSS-Auth-LDAP/releases/tag/2.0b1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217622"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217622"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-136: LDAP Injection

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.