Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-7147

LDAP injection vulnerability in LDAPAuthenticationSchemeImpl

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Normal
    • Release Note Needed
    • Security, Seen in production

    Description

      An LDAP injection vulnerability has been identified in LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been provided, but there is a possibility that an intruder could bypass authentication checks in Derby-powered applications which rely on external LDAP servers.

      For more information on LDAP injection, see https://www.synopsys.com/glossary/what-is-ldap-injection.html

      Attachments

        1. derby-7147-01-aa-reformatForReadability.diff
          14 kB
          Richard N. Hillegas
        2. derby-7147-02-aa-escapeLDAPsearchFilter.diff
          6 kB
          Richard N. Hillegas
        3. derby-7147-02-ab-escapeLDAPsearchFilter.diff
          6 kB
          Richard N. Hillegas
        4. derby-7147-03-aa-updateLDAPinstructions.diff
          6 kB
          Richard N. Hillegas
        5. derby-7147-03-aa-updateLDAPinstructions.tar
          15 kB
          Richard N. Hillegas
        6. derby-7147-03-ab-updateLDAPinstructions.diff
          6 kB
          Richard N. Hillegas
        7. derby-7147-03-ab-updateLDAPinstructions.tar
          15 kB
          Richard N. Hillegas
        8. derby-7147-04-aa-pointLDAPTestAtInstructions.diff
          0.9 kB
          Richard N. Hillegas
        9. LDAPauthenticationVulnerability.pdf
          23 kB
          Richard N. Hillegas
        10. releaseNote.html
          2 kB
          Richard N. Hillegas

        Issue Links

        is related to

        Improvement - An improvement or enhancement to an existing feature or task. HDFS-17266 upgrade Apache Derby dependency due to CVE

        • Major - Major loss of function.
        • Open

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rhillegas Richard N. Hillegas
            rhillegas Richard N. Hillegas
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment