Описание
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.
Apache Karaf uses the LDAPLoginModule to authenticate users to a directory via LDAP. It does not, however, encode usernames properly and hence is vulnerable to LDAP injection attacks. While it appears that it is not possible to exploit this vulnerability to allow an attacker to gain remote access, it does allow an attacker to insert special characters into the search query step. Therefore, it can potentially be exploited as part of a Denial of Service attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | karaf | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 12 (Pike) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | opendaylight | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | opendaylight | Will not fix | ||
| Red Hat JBoss A-MQ 6.3 | karaf | Fixed | RHSA-2018:1322 | 03.05.2018 |
| Red Hat JBoss Fuse 6.3 | karaf | Fixed | RHSA-2018:1322 | 03.05.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.
Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate u ...
Moderate severity vulnerability that affects org.apache.karaf:apache-karaf
EPSS
7.5 High
CVSS3