Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-7147

LDAP injection vulnerability in LDAPAuthenticationSchemeImpl

    XMLWordPrintableJSON

Details

    • Normal
    • Release Note Needed
    • Security, Seen in production

    Description

      An LDAP injection vulnerability has been identified in LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been provided, but there is a possibility that an intruder could bypass authentication checks in Derby-powered applications which rely on external LDAP servers.

      For more information on LDAP injection, see https://www.synopsys.com/glossary/what-is-ldap-injection.html

      Attachments

        1. derby-7147-01-aa-reformatForReadability.diff
          14 kB
          Richard N. Hillegas
        2. derby-7147-02-aa-escapeLDAPsearchFilter.diff
          6 kB
          Richard N. Hillegas
        3. derby-7147-02-ab-escapeLDAPsearchFilter.diff
          6 kB
          Richard N. Hillegas
        4. derby-7147-03-aa-updateLDAPinstructions.diff
          6 kB
          Richard N. Hillegas
        5. derby-7147-03-aa-updateLDAPinstructions.tar
          15 kB
          Richard N. Hillegas
        6. derby-7147-03-ab-updateLDAPinstructions.tar
          15 kB
          Richard N. Hillegas
        7. derby-7147-03-ab-updateLDAPinstructions.diff
          6 kB
          Richard N. Hillegas
        8. derby-7147-04-aa-pointLDAPTestAtInstructions.diff
          0.9 kB
          Richard N. Hillegas
        9. releaseNote.html
          2 kB
          Richard N. Hillegas
        10. LDAPauthenticationVulnerability.pdf
          23 kB
          Richard N. Hillegas

        Issue Links

          Activity

            People

              rhillegas Richard N. Hillegas
              rhillegas Richard N. Hillegas
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: