Bug 1844510 (CVE-2016-6497)
Summary: | CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, bbaranow, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, decathorpe, dkreling, dosoudil, drieden, eparis, etirelli, extras-orphan, ggaughan, gmalinko, gvarsami, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jburrell, jcantril, jcoleman, jochrist, jokerman, jolee, jperkins, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lkundrak, loleary, mizdebsk, mnovotny, msochure, msrb, msvehla, nstielau, nwallace, paradhya, pjindal, pmackay, psotirop, puntogil, rguimara, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, smaestri, spinder, sponnaga, tcunning, theute, tkirby, tom.jenkinson, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Groovy LDAP. The API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging the `returnObjFlag` setting. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-11 17:20:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1844511, 1844512 | ||
Bug Blocks: | 1844513 |
Description
Guilherme de Almeida Suckevicz
2020-06-05 14:48:48 UTC
Created groovy tracking bugs for this issue: Affects: fedora-31 [bug 1844512] Created groovy18 tracking bugs for this issue: Affects: fedora-31 [bug 1844511] Statement: The vulnerable class LDAP, is not found in OpenShift Container Platform's distribution of ElasticSearch. Groovy as shipped in Red Hat Enterprise Linux 7 does not embed the LDAP class, and thus is not affected by this vulnerability. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-6497 |