CVE-2022-31084

NameCVE-2022-31084
DescriptionLDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5177-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ldap-account-manager (PTS)jessie, jessie (lts)4.7.1-1+deb8u1vulnerable
stretch (security), stretch (lts), stretch5.5-1+deb9u1vulnerable
bullseye (security), bullseye8.0.1-0+deb11u1fixed
bookworm8.3-1fixed
sid, trixie8.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ldap-account-managersourcejessie(unfixed)end-of-life
ldap-account-managersourcestretch(unfixed)end-of-life
ldap-account-managersourcebullseye8.0.1-0+deb11u1DSA-5177-1
ldap-account-managersource(unstable)8.0.1-1

Notes

https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-r387-grjx-qgvw
Merge: https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 (lam_8_0)

Search for package or bug name: Reporting problems