LDAP Injection Vulnerability in Apache Kerby

CVE-2023-25613 is an LDAP Injection vulnerability found in the LdapIdentityBackend component of Apache Kerby prior to version 2.0.3. Apache Kerby is a Java Kerberos binding that provides a KDC server and supports various identity backends, including LDAP-based ones [1]. The flaw lies in insufficient sanitization of user-supplied input when constructing LDAP queries, enabling an attacker to inject arbitrary LDAP filter logic [2].

To exploit this vulnerability, an attacker needs to have access to the Kerby KDC server and provide crafted input during authentication or identity lookup operations that are processed by the LdapIdentityBackend. No special privileges beyond the ability to send requests to the KDC are required, as the injection occurs before any authentication check [2]. This makes the attack surface the network-facing KDC service when configured to use an LDAP identity backend.

The impact of successful exploitation is significant. An attacker can bypass intended access controls, enumerate user entries, or escalate privileges by manipulating the LDAP query to return unauthorized data or perform unintended operations. This could lead to unauthorized authentication to Kerberos services or information disclosure of LDAP directory contents [2].

Apache has addressed this vulnerability by releasing version 2.0.3, which fixes the LDAP injection issue. Users are strongly advised to upgrade to this patched version. There are no known workarounds; upgrading is the only complete mitigation. The ASF advisory lists the fix and recommends immediate action [2].