Описание
LDAP Injection in ldapauth
Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter.
Recommendation
ldapauth is not actively maintained, having not seen a publish since 2014. As a result, there is no patch available. Consider updating to use ldapauth-fork 2.3.3 or greater.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-7294
- https://github.com/vesse/node-ldapauth-fork/issues/21
- https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
- https://www.npmjs.com/advisories/18
- https://www.npmjs.com/advisories/19
- http://www.openwall.com/lists/oss-security/2015/09/18/4
- http://www.openwall.com/lists/oss-security/2015/09/18/8
- http://www.openwall.com/lists/oss-security/2015/09/21/2
Пакеты
Наименование
ldapauth-fork
npm
Затронутые версииВерсия исправления
< 2.3.3
2.3.3
Наименование
ldapauth
npm
Затронутые версииВерсия исправления
Отсутствует
Связанные уязвимости
CVSS3: 7.5
nvd
больше 8 лет назад
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.