Neptunium, Promethium, Manganese

npm

Severity: high

LDAP Injection

ldapauth

Overview

Versions 2.2.4 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter.

Remediation

ldapauth is not actively maintained, having not seen a publish since 2014. As a result, there is no patch available. Consider updating to use ldapauth-fork 2.3.3 or greater.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by David Black, Jerome Touffe-Blin
    Oct 17th, 2015
  2. published

    Advisory published
    Sep 18th, 2015