Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-43350 | 1 Apache | 1 Traffic Control | 2024-08-04 | 9.8 Critical |
| An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter. | ||||
| CVE-2021-41276 | 1 Enalean | 1 Tuleap | 2024-08-04 | 6.7 Medium |
| Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. This issue has been patched in Tuleap Community Edition 13.2.99.31, Tuleap Enterprise Edition 13.1-5, and Tuleap Enterprise Edition 13.2-3. | ||||
| CVE-2021-41232 | 1 Thunderdome | 1 Planning Poker | 2024-08-04 | 8.1 High |
| Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use. | ||||
| CVE-2021-32651 | 1 Onedev Project | 1 Onedev | 2024-08-03 | 3.1 Low |
| OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2. | ||||
| CVE-2022-45910 | 1 Apache | 1 Manifoldcf | 2024-08-03 | 5.3 Medium |
| Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions. | ||||
| CVE-2022-4254 | 2 Fedoraproject, Redhat | 16 Sssd, Enterprise Linux, Enterprise Linux Desktop and 13 more | 2024-08-03 | 8.8 High |
| sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters | ||||
| CVE-2023-51446 | 1 Glpi-project | 1 Glpi | 2024-08-02 | 5.9 Medium |
| GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12. | ||||
| CVE-2023-31025 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2024-08-02 | 6.5 Medium |
| NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. A successful exploit of this vulnerability may lead to information disclosure. | ||||
| CVE-2023-28853 | 1 Joinmastodon | 1 Mastodon | 2024-08-02 | 7.7 High |
| Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | ||||
| CVE-2023-6905 | 1 Nxfilter | 1 Nxfilter | 2024-08-02 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. This issue affects some unknown processing of the file user,adap.jsp?actionFlag=test&id=1 of the component Bind Request Handler. The manipulation leads to ldap injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-248267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-45046 | 2023-11-07 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||