CVE-2022-31085 — Missing Encryption of Sensitive Data in Ldap Account Manager

CWE-311 — Missing Encryption of Sensitive Data CWE-522 — Insufficiently Protected Credentials3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 74.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager +1 more

Timeline

PublishedJun 27

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 8.0

▶debiandebian/ldap-account-manager< ldap-account-manager 8.0.1-1 (bookworm)

▶NVDldap-account-manager/ldap_account_manager< 8.0

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31085: LDAP Account Manager (LAM) is a webfrontend for managing entries (e↗2022-06-27

▶

📋Vendor Advisories

Debian

CVE-2022-31085: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...↗2022

▶