CVE-2022-31086 — Injection in Ldap Account Manager

CWE-74 — Injection CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager +1 more

Timeline

PublishedJun 27

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 8.0

▶debiandebian/ldap-account-manager< ldap-account-manager 8.0.1-1 (bookworm)

▶NVDldap-account-manager/ldap_account_manager< 8.0

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31086: LDAP Account Manager (LAM) is a webfrontend for managing entries (e↗2022-06-27

▶

📋Vendor Advisories

Debian

CVE-2022-31086: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...↗2022

▶