cbcvebase.
CVE-2024-23333
published 2024-03-18

CVE-2024-23333: LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log…

PriorityP350medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
EPSS
17.87%
96.8th percentile
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianldap-account-manager< ldap-account-manager 8.7-1 (forky)ldap-account-manager 8.7-1 (forky)
debianldap-account-manager< ldap-account-manager 9.0-1 (forky)ldap-account-manager 9.0-1 (forky)
ldap-account-managerldap_account_manager< 8.78.7
ldapaccountmanagerlam< 9.09.0

CVSS provenance

nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
osv6.6MEDIUM
vendor_debian7.9HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.