CVE-2022-31088 — Injection in Ldap Account Manager

CWE-74 — Injection3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.6%

top 31.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager +1 more

Timeline

PublishedJun 27

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 8.0

▶debiandebian/ldap-account-manager< ldap-account-manager 8.0.1-1 (bookworm)

▶NVDldap-account-manager/ldap_account_manager< 8.0

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31088: LDAP Account Manager (LAM) is a webfrontend for managing entries (e↗2022-06-27

▶

📋Vendor Advisories

Debian

CVE-2022-31088: ldap-account-manager - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, gr...↗2022

▶