High severityNVD Advisory· Published Nov 2, 2021· Updated Aug 4, 2024
Improper Neutralization of Special Elements used in an LDAP Query
CVE-2021-41232
Description
Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/stevenweathers/thunderdome-planning-pokerGo | < 1.16.3 | 1.16.3 |
Affected products
1- Range: < 2.0.0
Patches
1f1524d01e8a0Fix LDAP vulnerability
1 file changed · +1 −1
auth.go+1 −1 modified@@ -68,7 +68,7 @@ func (s *server) authAndCreateUserLdap(UserName string, UserPassword string) (*d searchRequest := ldap.NewSearchRequest(viper.GetString("auth.ldap.basedn"), ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, - fmt.Sprintf(viper.GetString("auth.ldap.filter"), UserName), + fmt.Sprintf(viper.GetString("auth.ldap.filter"), ldap.EscapeFilter(UserName)), []string{"dn", viper.GetString("auth.ldap.mail_attr"), viper.GetString("auth.ldap.cn_attr")}, nil, )
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-26cm-qrc6-mfgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41232ghsaADVISORY
- github.com/StevenWeathers/thunderdome-planning-poker/commit/f1524d01e8a0f2d6c3db5461c742456c692dd8c1ghsax_refsource_MISCWEB
- github.com/StevenWeathers/thunderdome-planning-poker/security/advisories/GHSA-26cm-qrc6-mfgjghsax_refsource_CONFIRMWEB
- github.com/github/securitylab/issues/464ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.