OpenAM has LDAP Injection via `_queryId` Parameter
Description
OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter _queryId is passed to a CrestQuery object with escapeQueryId **explicitly set to false**, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.
Affected
Endpoint
| Endpoint | Auth Required | Injection Parameter | |----------|--------------|---------------------| | GET /openam/json/{realm}/users?_queryId= | SSO Token | _queryId | | GET /openam/json/{realm}/groups?_queryId= | SSO Token (TBD) | _queryId |
Background: CVE-2021-29156
CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:
Credit
Discovered by JD-Security SHENYI Team
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.openidentityplatform.openam:openam-core-restMaven | < 16.1.1 | 16.1.1 |
Affected products
1Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4News mentions
0No linked articles in our index yet.