Bug 1844510 (CVE-2016-6497) - CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods
Summary: CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attack...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-6497
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1844511 1844512
Blocks: 1844513
TreeView+ depends on / blocked
 
Reported: 2020-06-05 14:48 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 19:56 UTC (History)
77 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Groovy LDAP. The API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging the `returnObjFlag` setting. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2020-06-11 17:20:28 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-06-05 14:48:48 UTC
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

References:
https://mail-archives.apache.org/mod_mbox/directory-users/201610.mbox/%3Cb7d7e909-a8ed-1ab4-c853-4078c1e7624a%40stefan-seelmann.de%3E

Upstream commit:
http://svn.apache.org/viewvc/directory/sandbox/szoerner/groovyldap/src/main/java/org/apache/directory/groovyldap/LDAP.java?r1=1765362&r2=1765361&pathrev=1765362&view=patch

Comment 1 Guilherme de Almeida Suckevicz 2020-06-05 14:49:20 UTC
Created groovy tracking bugs for this issue:

Affects: fedora-31 [bug 1844512]


Created groovy18 tracking bugs for this issue:

Affects: fedora-31 [bug 1844511]

Comment 6 Cedric Buissart 2020-06-11 14:05:00 UTC
Statement:

The vulnerable class LDAP, is not found in OpenShift Container Platform's distribution of ElasticSearch.

Groovy as shipped in Red Hat Enterprise Linux 7 does not embed the LDAP class, and thus is not affected by this vulnerability.

Comment 7 Product Security DevOps Team 2020-06-11 17:20:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-6497


Note You need to log in before you can comment on or make changes to this bug.