main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods. References: https://mail-archives.apache.org/mod_mbox/directory-users/201610.mbox/%3Cb7d7e909-a8ed-1ab4-c853-4078c1e7624a%40stefan-seelmann.de%3E Upstream commit: http://svn.apache.org/viewvc/directory/sandbox/szoerner/groovyldap/src/main/java/org/apache/directory/groovyldap/LDAP.java?r1=1765362&r2=1765361&pathrev=1765362&view=patch
Created groovy tracking bugs for this issue: Affects: fedora-31 [bug 1844512] Created groovy18 tracking bugs for this issue: Affects: fedora-31 [bug 1844511]
Statement: The vulnerable class LDAP, is not found in OpenShift Container Platform's distribution of ElasticSearch. Groovy as shipped in Red Hat Enterprise Linux 7 does not embed the LDAP class, and thus is not affected by this vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-6497