Code Injection in LDAP Account Manager

#VU65008 Code Injection in LDAP Account Manager

Published: 2022-07-07

Vulnerability identifier: #VU65008

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31084

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LDAP Account Manager
Server applications / Remote management servers, RDP, SSH

Vendor: LDAP Account Manager

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can inject the first constructor argument and execute arbitrary code on the system, if non-LAM classes are instantiated that execute code during object creation.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LDAP Account Manager: 0.4.7 - 7.9.1

External links
http://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
http://github.com/LDAPAccountManager/lam/security/advisories/GHSA-r387-grjx-qgvw

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for ldap-account-manager

Multiple vulnerabilities in LDAP Account Manager