CVE-2024-23333

LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/LDAPAccountManager/lam/releases/tag/8.7
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-18 21:15

Updated : 2024-03-19 13:26

NVD link : CVE-2024-23333

Mitre link : CVE-2024-23333

CVE.ORG link : CVE-2024-23333

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2024-23333", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2024-03-18T21:15:06.473", "references": [{"url": "https://github.com/LDAPAccountManager/lam/releases/tag/8.7", "source": "security-advisories@github.com"}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.\n"}, {"lang": "es", "value": "LDAP Account Manager (LAM) es una interfaz web para administrar entradas almacenadas en un directorio LDAP. La configuraci\u00f3n de registro de LAM permite especificar rutas arbitrarias para archivos de registro. Antes de la versi\u00f3n 8.7, un atacante pod\u00eda aprovechar esto creando un archivo PHP y hacer que LAM registrara alg\u00fan c\u00f3digo PHP en este archivo. Cuando se accede al archivo a trav\u00e9s de la web, se ejecutar\u00e1 el c\u00f3digo. El problema se mitiga con lo siguiente: un atacante necesita conocer la contrase\u00f1a de configuraci\u00f3n maestra de LAM para poder cambiar la configuraci\u00f3n principal; y el servidor web necesita acceso de escritura a un directorio al que se pueda acceder a trav\u00e9s de la web. La propia LAM no proporciona dichos directorios. El problema se solucion\u00f3 en 8.7. Como workaround, limite el acceso a las p\u00e1ginas de configuraci\u00f3n de LAM a usuarios autorizados."}], "lastModified": "2024-03-19T13:26:46.000", "sourceIdentifier": "security-advisories@github.com"}