Bug 1524432 (CVE-2016-8750)
| Summary: | CVE-2016-8750 karaf: LDAP injection in LDAPLoginModule | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, apevec, chazlett, chrisw, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mkolesni, rbryant, sclewis, slinaber, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | karaf 4.0.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Apache Karaf uses the LDAPLoginModule to authenticate users to a directory via LDAP. It does not, however, encode usernames properly and hence is vulnerable to LDAP injection attacks. While it appears that it is not possible to exploit this vulnerability to allow an attacker to gain remote access, it does allow an attacker to insert special characters into the search query step. Therefore, it can potentially be exploited as part of a Denial of Service attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:33:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1530422 | ||
| Bug Blocks: | 1524434, 1530427 | ||
|
Description
Andrej Nemec
2017-12-11 13:47:48 UTC
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322 |