Skip to main content

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVE-2021-32651

Severity Medium
Score 4.3/10

Summary

OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • LOW
  • NONE

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References

Advisory Timeline

  • Published