LDAP injection in ManifoldCF - CVE-2022-45910

 

LDAP injection in ManifoldCF - CVE-2022-45910

Published: December 6, 2022


Vulnerability identifier: #VU69964
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-45910
CWE-ID: CWE-90
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
ManifoldCF

Detailed vulnerability description

The vulnerability allows a remote user to manipulate queries and escalate privileges within the application.

The vulnerability exists due to improper input validation when processing DLAP queries within the ActiveDirectory and Sharepoint ActiveDirectory authority connectors. A remote user can send a specially crafted LDAP query to the application and bypass implemented security restrictions or escalate privileges within the application.


How to mitigate CVE-2022-45910

Install updates from vendor's website.

Sources