request #24168 Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists

Artifact

Infos

Artifact ID#24168

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-12-15 08:42

Submitted on2021-11-23 15:14

Rank25711

Details

Summary *

Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists

Original Submission

Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization when checking it the user still exist. This issue is related to request #24149, the initial fix was incomplete.

Impact

A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account.
CVSSv3.1 score: 6.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)

References

CWE 90
OWASP LDAP Injection
CVE-2021-43782

CategoryAuthentication & LDAP

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2021-11-25

Attachments

Connected artifacts

Artifact links

Releases

Fixed in

	Artifact ID	Project	Tracker	Summary	Status	Last Update Date	Submitted By	Assigned to
	rel #23428	Tuleap	Releases	13.3	Delivered	2021-08-12 17:17	Manuel Vacelet (vaceletm)

Reverse artifact links

Empty

AttachmentsEmpty

References

Cross references

Referencing request #24168

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/33/24533/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD c57c3696d9

Lorentz Romain (lorentzr) , 2021-11-25 11:12

request #24168: Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists 64e77561eb

Thomas Gerbet (tgerbet) , 2021-11-23 15:14

Show items referenced by request #24168

Referenced by request #24168

Artifact Tracker v5

request #24149 Indirect LDAP injection via the ldap_id attribute of a user

rel #23428 13.3

Other

gerrit #24533

Follow-ups

Thomas Gerbet (tgerbet)

2021-12-15 08:42

Public disclosure.

Thomas Gerbet (tgerbet)

2021-11-29 09:10

CVE-2021-43782 has been assigned to this issue.

Original Submission

Something went wrong, the follow up content couldn't be loaded

Only formatting have been changed, you should switch to markup to see the changes

Lorentz Romain (lorentzr)

2021-11-25 11:13

integrated to Tuleap 13.2.99.83

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #23428
Close date set to 2021-11-25

Thomas Gerbet (tgerbet)

2021-11-23 15:16

Patch under review: gerrit #24533.

Summary
-~~request #24149:~~ Indirect LDAP injection via the ldap_id attribute of a user when checking if it ~~exist~~
+Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists
Status changed from Under implementation to Under review