CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Description
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-136
CVEs mapped to this weakness (42)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23335 | — | 0.00 | — | 0.01 | Feb 11, 2021 | All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure. | ||
| CVE-2018-5730 | Low | 0.00 | 3.8 | 0.02 | Mar 6, 2018 | MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a… |
- CVE-2021-23335Feb 11, 2021risk 0.00cvss —epss 0.01
All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure.
- risk 0.00cvss 3.8epss 0.02
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a…