LDAP Injection
Affecting ldapauth-fork package, versions < 2.3.3
Do your applications use this vulnerable package?
Test your applications
Overview
ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection through the username parameter.
Source: Node Security Project
Remediation
Upgrade to ldapauth-fork 2.3.3 or greater.
References:
- https://github.com/vesse/node-ldapauth-fork/issues/21
- https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
Snyk patch available for versions:
- <2.3.3 >=2.3.0
View patch
View patch
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Jerome Touffe-Blin
- CVE
- CVE-2015-7294
- CWE
- CWE-90
- Snyk ID
- npm:ldapauth-fork:20150918
- Disclosed
- 18 Sep, 2015
- Published
- 18 Sep, 2015