1. Home
  2. CWE Database
  3. CWE-90
Base · Medium

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modi...

CWE-90 · Base Level ·2 CVEs ·1 Mitigations

Description

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Potential Impact

Confidentiality, Integrity, Availability

Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

Demonstrative Examples

The code below constructs an LDAP query using user input address data:
Bad
context = new InitialDirContext(env);String searchFilter = "StreetAddress=" + address;NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
Because the code fails to neutralize the address string used to construct the query, an attacker can supply an address that includes additional LDAP queries.

Mitigations & Prevention

Implementation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2021-41232Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
CVE-2005-2301Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack.

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not ...

Taxonomy Mappings

  • PLOVER: — LDAP injection
  • OWASP Top Ten 2007: A2 — Injection Flaws
  • WASC: 29 — LDAP Injection
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-90?

CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modi...

How can CWE-90 be exploited?

Attackers can exploit CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')) to execute unauthorized code or commands, read application data, modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-90?

Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric

What is the severity of CWE-90?

CWE-90 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.