CVE-2022-31084 — HIGH (8.1)

Q: How severe is CVE-2022-31084?

CVE-2022-31084 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31084?

Check the references section above for vendor advisories and patch information. Affected products include: Ldap-Account-Manager Ldap Account Manager, Debian Debian Linux.

Vulnerability Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ldap-Account-Manager	Ldap Account Manager	< 8.0
Debian	Debian Linux	11.0

Related Weaknesses (CWE)

CWE-88

References

https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88PatchThird Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-r387-grjx-qgvThird Party Advisory
https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ExploitThird Party Advisory
https://www.debian.org/security/2022/dsa-5177Third Party Advisory
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88PatchThird Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-r387-grjx-qgvThird Party Advisory
https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ExploitThird Party Advisory
https://www.debian.org/security/2022/dsa-5177Third Party Advisory

FAQ

What is CVE-2022-31084?

CVE-2022-31084 is a vulnerability with a CVSS score of 8.1 (HIGH). LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates object...

How severe is CVE-2022-31084?

CVE-2022-31084 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31084?

Check the references section above for vendor advisories and patch information. Affected products include: Ldap-Account-Manager Ldap Account Manager, Debian Debian Linux.