[DERBY-7147] LDAP injection vulnerability in LDAPAuthenticationSchemeImpl - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.16.1.1
Fix Version/s: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0
Component/s: JDBC
Labels:
None

Urgency:
Normal
Issue & fix info:

Release Note Needed
Bug behavior facts:

Security, Seen in production

Description

An LDAP injection vulnerability has been identified in LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been provided, but there is a possibility that an intruder could bypass authentication checks in Derby-powered applications which rely on external LDAP servers.

For more information on LDAP injection, see https://www.synopsys.com/glossary/what-is-ldap-injection.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

derby-7147-01-aa-reformatForReadability.diff
21/Nov/22 17:09
14 kB
Richard N. Hillegas
derby-7147-02-aa-escapeLDAPsearchFilter.diff
21/Nov/22 19:15
6 kB
Richard N. Hillegas
derby-7147-02-ab-escapeLDAPsearchFilter.diff
23/Nov/22 17:46
6 kB
Richard N. Hillegas
derby-7147-03-aa-updateLDAPinstructions.diff
29/Nov/22 22:23
6 kB
Richard N. Hillegas
derby-7147-03-aa-updateLDAPinstructions.tar
29/Nov/22 22:23
15 kB
Richard N. Hillegas
derby-7147-03-ab-updateLDAPinstructions.diff
03/Dec/22 16:16
6 kB
Richard N. Hillegas
derby-7147-03-ab-updateLDAPinstructions.tar
03/Dec/22 16:15
15 kB
Richard N. Hillegas
derby-7147-04-aa-pointLDAPTestAtInstructions.diff
07/Dec/22 16:21
0.9 kB
Richard N. Hillegas
LDAPauthenticationVulnerability.pdf
16/Nov/23 23:08
23 kB
Richard N. Hillegas
releaseNote.html
23/Aug/23 16:53
2 kB
Richard N. Hillegas

Issue Links

is related to

HDFS-17266 upgrade Apache Derby dependency due to CVE

Open

Activity

People

Assignee:: Richard N. Hillegas

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 07/Nov/22 13:15

Updated:: 02/Mar/24 20:50

Resolved:: 12/Dec/22 18:54