Do your applications use this vulnerable package?
Test your applications
Overview
ldapauth versions <= 2.2.4 are vulnerable to ldap injection through the username parameter.
Source: Node Security Project
Remediation
Consider updating to use ldapauth-fork 2.3.3 or greater as ldapauth has not yet been patched.
References
CVSS Score
5.3
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityNone
-
AvailabilityNone
- Credit
- David Black, Jerome Touffe-Blin
- CWE
- CWE-90
- Snyk ID
- npm:ldapauth:20150918
- Disclosed
- 18 Sep, 2015
- Published
- 18 Sep, 2015