CVE-2024-33868

Vulnerability

A security vulnerability exists in linqi for Windows versions prior to 1.4.0.1. The software does not sufficiently sanitize user-controlled input when processing LDAP queries, allowing LDAP control characters to be injected blindly [1][2]. This flaw is classified as CWE-90 (LDAP Injection) [2]. No authentication or special configuration is required to reach the affected code path.

Exploitation

An unauthenticated remote attacker can send crafted requests containing malicious LDAP characters to the linqi Windows service [2]. The attacker does not need prior access, user interaction, or a privileged network position — the attack is entirely remote and requires no authentication. By inserting specially crafted LDAP filter strings, the attacker can manipulate the underlying LDAP query executed by the application [1][2].

Impact

Successful exploitation of this LDAP injection vulnerability can lead to a full compromise of the LDAP directory backend [2]. The attacker may be able to bypass authentication, extract sensitive directory information, or modify directory entries. The official advisory rates the severity as Critical with a CVSS base score of 9.8, indicating significant confidentiality, integrity, and availability impacts [2].

Mitigation

The issue is fully resolved in linqi version 1.4.0.1 for Windows, released on May 14, 2024 [2]. All customers are strongly advised to update to this version immediately. According to the vendor blog, no workaround is available for older versions [1][2]. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.