CVE-2022-31084 — Argument Injection in Ldap Account Manager

CWE-88 — Argument Injection3 documents3 sources

Severity

8.1HIGHNVD

EPSS

1.6%

top 18.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager +1 more

Timeline

PublishedJun 27

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 8.0

▶debiandebian/ldap-account-manager< ldap-account-manager 8.0.1-1 (bookworm)

▶NVDldap-account-manager/ldap_account_manager< 8.0

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31084: LDAP Account Manager (LAM) is a webfrontend for managing entries (e↗2022-06-27

▶

📋Vendor Advisories

Debian

CVE-2022-31084: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...↗2022

▶