This Week in Spring - June 9th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! Tons of releases coming out today and this week! So make sure you're pulling in the latest posts, as often as possible! Spring LDAP 2026.06 Releases - Contains CVE Fix Spring Framework 7.0.8 and 6.2.19 Available Now Spring...

CVE-2026-40683

Keystone (OpenStack) LDAP identity backend vulnerability CVE-2026-40683: before 28.0.1, the user_enabled_invert setting is not applied when False, causing non-empty string values like 'FALSE' to be treated as enabled; this permits authentication and actions for users disabled in LDAP. All deploym...

CVE-2016-10740

Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to requests for these resources...

EUVD-2000-0513

Malware in sbrugna...

EUVD-2016-7418

Malware in sbrugna...

LDAP Update Object

This module allows creating, reading, updating and deleting attributes of LDAP objects. Users can specify the object and must specify a corresponding attribute. Module Options msf use auxiliary/admin/ldap/ldapobjectattribute msf auxiliaryldapobjectattribute show actions ...actions... msf...

CVE-2023-38734

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 is vulnerable to incorrect privilege assignment when importing users from an LDAP directory. IBM X-Force ID: 262481...

SUSE CVE-2025-27414

MinIO is a high performance object storage. Starting in RELEASE.2024-06-06T09-36-42Z and prior to RELEASE.2025-02-28T09-55-16Z, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP...

OESA-2024-2164 three-eight-nine-ds-base security update

389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration. Security Fixes: An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed...

CVE-2024-23333

LDAP Account Manager LAM is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When th...

CVE-2024-23333

LDAP Account Manager LAM is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When th...

[SECURITY] Fedora 40 Update: ldapjdk-5.5.0-2.fc40

The Mozilla LDAP SDKs enable you to write applications which access, manage, and update the information stored in an LDAP directory...

bouncycastle: potential blind LDAP injection attack using a self-signed certificate

A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain...

CVE-2023-38734 IBM Robotic Process Automation privilege escalation

IBM Robotic Process Automation 21.0.0 through 21.0.7.1 and 23.0.0 through 23.0.1 is vulnerable to incorrect privilege assignment when importing users from an LDAP directory. IBM X-Force ID: 262481...

Credentials Leaks

cas-server-support-x509-core is vulnerable to Credentials Leaks. The vulnerability exists because the prepareConnectionFactory function of LdaptiveResourceCRLFetcher.java does not properly validate the ldapURL parameter provided by the certificate, leaking the credentials for LDAP authentication ...

Bouncy Castle For Java LDAP injection vulnerability

Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the...

LDAP Tool Box Self Service Password v1.5.2 - Account takeover Vulnerability

Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover Exploit Author: Tahar BENNACEF aka tar.gz Software Link: https://github.com/ltb-project/self-service-password Version: 1.5.2 Tested on: Ubuntu Self Service Password is a PHP application that allows users to change their...

LDAP Tool Box Self Service Password v1.5.2 - Account takeover

Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover Date: 02/17/2023 Exploit Author: Tahar BENNACEF aka tar.gz Software Link: https://github.com/ltb-project/self-service-password Version: 1.5.2 Tested on: Ubuntu Self Service Password is a PHP application that allows users...

LDAP Account Manager Parameter Injection Vulnerability

LDAP Account Manager is a web front-end for managing entries e.g., users, groups, DHCP settings stored in the LDAP directory. LDAP Account Manager LAM versions prior to 8.0 are vulnerable to parameter injection, which stems from the fact that LAM instantiates objects from arbitrary classes and ca...

LDAP Account Manager Cross-Site Scripting Vulnerability (CNVD-2022-53547)

LDAP Account Manager is a web front-end for managing entries e.g., users, groups, DHCP settings stored in the LDAP directory. cross-site scripting vulnerability exists in LDAP Account Manager LAM versions prior to 8.0, which stems from the fact that if the PHP OpenSSL extension is not installed o...