Date: Mon, 21 Sep 2015 12:56:55 +1000 From: David Black <dblack@...assian.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection. On 19 September 2015 at 05:08, <cve-assign@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > https://github.com/vesse/node-ldapauth-fork/issues/21 > > > https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 > > Use CVE-2015-7294. > > The existence of a fork does not, by itself, lead to use of multiple CVE > IDs. > The CVE ID is for the vulnerability in the shared codebase, regardless of > the > product names in which that codebase is used. > > > https://github.com/vesse/node-ldapauth-fork/issues/21#issuecomment-108186158 > has comments from the vendor about possible mitigating factors. Given > those comments, is the most straightforward threat that the attacker > may be able to arrange for a search result to be exactly one username, > and may not know the complete username in advance but may know the > password in advance? > That's one option. I was actually thinking that an attacker could also exploit this issue to extract information from ldap - provided that the attacker knows a working username and password combination then they should be able craft ldap queries that only match their username if an additional search condition is met. -- David Black / Security Engineer.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ