LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory.
References
Link | Resource |
---|---|
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 | Patch Third Party Advisory |
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q8g5-45m4-q95p | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5177 | Third Party Advisory |
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 | Patch Third Party Advisory |
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q8g5-45m4-q95p | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5177 | Third Party Advisory |
Configurations
History
21 Nov 2024, 07:03
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 - Patch, Third Party Advisory | |
References | () https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q8g5-45m4-q95p - Third Party Advisory | |
References | () https://www.debian.org/security/2022/dsa-5177 - Third Party Advisory |
24 Jul 2023, 13:17
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-863 |
07 Jul 2022, 14:37
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 7.2
v3 : 7.8 |
CPE | cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
|
References | (CONFIRM) https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q8g5-45m4-q95p - Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5177 - Third Party Advisory | |
References | (MISC) https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 - Patch, Third Party Advisory |
06 Jul 2022, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Jun 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-27 21:15
Updated : 2024-11-21 07:03
NVD link : CVE-2022-31087
Mitre link : CVE-2022-31087
CVE.ORG link : CVE-2022-31087
JSON object : View
Products Affected
ldap-account-manager
- ldap_account_manager
debian
- debian_linux