Versions 2.2.4 and earlier of ldapauth-fork
are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter.
ldapauth is not actively maintained, having not seen a publish since 2014. As a result, there is no patch available. Consider updating to use ldapauth-fork 2.3.3 or greater.
CPE | Name | Operator | Version |
---|---|---|---|
ldapauth-fork | lt | 2.3.3 |
www.openwall.com/lists/oss-security/2015/09/18/4
www.openwall.com/lists/oss-security/2015/09/18/8
www.openwall.com/lists/oss-security/2015/09/21/2
github.com/vesse/node-ldapauth-fork
github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
github.com/vesse/node-ldapauth-fork/issues/21
nvd.nist.gov/vuln/detail/CVE-2015-7294
www.npmjs.com/advisories/18
www.npmjs.com/advisories/19