oss-sec mailing list archives
Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection.
From: David Black <dblack () atlassian com>
Date: Mon, 21 Sep 2015 12:56:55 +1000
On 19 September 2015 at 05:08, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256https://github.com/vesse/node-ldapauth-fork/issues/21https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 Use CVE-2015-7294. The existence of a fork does not, by itself, lead to use of multiple CVE IDs. The CVE ID is for the vulnerability in the shared codebase, regardless of the product names in which that codebase is used. https://github.com/vesse/node-ldapauth-fork/issues/21#issuecomment-108186158 has comments from the vendor about possible mitigating factors. Given those comments, is the most straightforward threat that the attacker may be able to arrange for a search result to be exactly one username, and may not know the complete username in advance but may know the password in advance?
That's one option. I was actually thinking that an attacker could also exploit this issue to extract information from ldap - provided that the attacker knows a working username and password combination then they should be able craft ldap queries that only match their username if an additional search condition is met. -- David Black / Security Engineer.
Current thread:
- CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. David Black (Sep 17)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. cve-assign (Sep 18)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. David Black (Sep 20)
- Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. cve-assign (Sep 18)