{"containers": {"cna": {"affected": [{"product": "Apache Karaf", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "prior to 4.0.8"}]}], "datePublic": "2017-12-04T00:00:00", "descriptions": [{"lang": "en", "value": "Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service."}], "problemTypes": [{"descriptions": [{"description": "Injection Attack", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-04T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "RHSA-2018:1322", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1322"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://karaf.apache.org/security/cve-2016-8750.txt"}, {"name": "103098", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103098"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-12-04T00:00:00", "ID": "CVE-2016-8750", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Karaf", "version": {"version_data": [{"version_value": "prior to 4.0.8"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Injection Attack"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:1322", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1322"}, {"name": "https://karaf.apache.org/security/cve-2016-8750.txt", "refsource": "CONFIRM", "url": "https://karaf.apache.org/security/cve-2016-8750.txt"}, {"name": "103098", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103098"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:35:00.163Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:1322", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1322"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://karaf.apache.org/security/cve-2016-8750.txt"}, {"name": "103098", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103098"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2016-8750", "datePublished": "2018-02-19T15:00:00Z", "dateReserved": "2016-10-18T00:00:00", "dateUpdated": "2024-09-17T00:36:15.735Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "990D05D0-F472-4516-9C4B-3E743BFB4956", "versionEndExcluding": "4.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service."}, {"lang": "es", "value": "Apache Karaf en versiones anteriores a la 4.0.8 utilizaba LDAPLoginModule para autenticar a los usuarios en un directorio mediante LDAP. Sin embargo, no cifraba los nombres de usuario correctamente y, por lo tanto, era vulnerable a ataques de inyecci\u00f3n LDAP, lo que conduc\u00eda a una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2016-8750", "lastModified": "2024-11-21T02:59:59.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-19T15:29:00.207", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103098"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1322"}, {"source": "security@apache.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://karaf.apache.org/security/cve-2016-8750.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103098"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1322"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://karaf.apache.org/security/cve-2016-8750.txt"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:1322", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "package": "karaf", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2018-05-03T00:00:00Z"}, {"advisory": "RHSA-2018:1322", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "karaf", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2018-05-03T00:00:00Z"}], "bugzilla": {"description": "karaf: LDAP injection in LDAPLoginModule", "id": "1524432", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1524432"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-90", "details": ["Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service.", "Apache Karaf uses the LDAPLoginModule to authenticate users to a directory via LDAP. It does not, however, encode usernames properly and hence is vulnerable to LDAP injection attacks. While it appears that it is not possible to exploit this vulnerability to allow an attacker to gain remote access, it does allow an attacker to insert special characters into the search query step. Therefore, it can potentially be exploited as part of a Denial of Service attack."], "name": "CVE-2016-8750", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-12-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-8750\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8750\nhttps://karaf.apache.org/security/cve-2016-8750.txt"], "threat_severity": "Moderate"}