oss-sec mailing list archives
CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection.
From: David Black <dblack () atlassian com>
Date: Fri, 18 Sep 2015 10:58:56 +1000
ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection through the username parameter. This issue was reported at https://github.com/vesse/node-ldapauth-fork/issues/21 and was fixed in https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 . ldapauth-fork version 2.3.3 includes the fix. Can a CVE be assigned for this issue? Note: the node-ldapauth project found at https://github.com/trentm/node-ldapauth, which node-ldapauth-fork was forked from, is still vulnerable to this issue. I notified the owner of the node-ldapauth repository but have no heard back. -- David Black / Security Engineer.
Current thread:
- CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. David Black (Sep 17)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. cve-assign (Sep 18)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. David Black (Sep 20)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. cve-assign (Sep 18)