In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
Created openldap tracking bugs for this issue:
Affects: fedora-all [bug 2081936]
The issue happens in openldap-servers package, which is not shipped since RHEL 8. Hence, I'm closing the issues as WONTFIX.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):