ldap-account-manager is vulnerable to information disclosure. The vulnerability exists because the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration, allowing an attacker to gain sensitive information through the session file
{"id": "VERACODE:36275", "vendorId": null, "type": "veracode", "bulletinFamily": "software", "title": "Information Disclosure", "description": "ldap-account-manager is vulnerable to information disclosure. The vulnerability exists because the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration, allowing an attacker to gain sensitive information through the session file \n", "published": "2022-07-06T19:52:50", "modified": "2022-07-07T16:44:54", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-36275/summary", "reporter": "Veracode Vulnerability Database", "references": ["https://security-tracker.debian.org/tracker/CVE-2022-31085", "https://www.debian.org/security/2022/dsa-5177", "https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4", "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6m3q-5c84-6h6j"], "cvelist": ["CVE-2022-31085"], "immutableFields": [], "lastseen": "2022-07-17T12:36:50", "viewCount": 11, "enchantments": {"score": {"value": 1.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-31085"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5177-1:9861C"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-31085"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-5177.NASL"]}, {"type": "osv", "idList": ["OSV:DSA-5177-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-31085"]}]}, "affected_software": {"major_version": [{"name": "ldap-account-manager:bullseye", "version": 7}, {"name": "ldap-account-manager:sid", "version": 7}, {"name": "ldap-account-manager:bullseye", "version": 7}, {"name": "ldap-account-manager:sid", "version": 7}]}, "epss": [{"cve": "CVE-2022-31085", "epss": "0.000490000", "percentile": "0.153440000", "modified": "2023-03-19"}], "vulnersScore": 1.7}, "_state": {"score": 1660016489, "dependencies": 1660016219, "affected_software_major_version": 1666695388, "epss": 1679300024}, "_internal": {"score_hash": "043dc6d11371b6b1634c4587210ef17c"}, "affectedSoftware": [{"version": "7.3-1", "operator": "eq", "name": "ldap-account-manager:bullseye"}, {"version": "7.3-1", "operator": "eq", "name": "ldap-account-manager:sid"}, {"version": "7.3-1", "operator": "eq", "name": "ldap-account-manager:bullseye"}, {"version": "7.3-1", "operator": "eq", "name": "ldap-account-manager:sid"}]}
{"cve": [{"lastseen": "2023-02-09T14:25:58", "description": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-06-27T21:15:00", "type": "cve", "title": "CVE-2022-31085", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31085"], "modified": "2022-07-07T14:02:00", "cpe": ["cpe:/o:debian:debian_linux:11.0"], "id": "CVE-2022-31085", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31085", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2022-12-20T15:48:41", "description": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-06-27T21:15:00", "type": "debiancve", "title": "CVE-2022-31085", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31085"], "modified": "2022-06-27T21:15:00", "id": "DEBIANCVE:CVE-2022-31085", "href": "https://security-tracker.debian.org/tracker/CVE-2022-31085", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:19:17", "description": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.\nusers, groups, DHCP settings) stored in an LDAP directory. In versions\nprior to 8.0 the session files include the LDAP user name and password in\nclear text if the PHP OpenSSL extension is not installed or encryption is\ndisabled by configuration. This issue has been fixed in version 8.0. Users\nunable to upgrade should install the PHP OpenSSL extension and make sure\nsession encryption is enabled in LAM main configuration.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-06-27T00:00:00", "type": "ubuntucve", "title": "CVE-2022-31085", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31085"], "modified": "2022-06-27T00:00:00", "id": "UB:CVE-2022-31085", "href": "https://ubuntu.com/security/CVE-2022-31085", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-08-17T10:04:21", "description": "LDAP Account Manager is a web front-end for managing entries (e.g., users, groups, DHCP settings) stored in the LDAP directory. cross-site scripting vulnerability exists in LDAP Account Manager (LAM) versions prior to 8.0, which stems from the fact that if the PHP OpenSSL extension is not installed or configured with encryption disabled, the Session files contain LDAP user names and passwords in plaintext, which can be exploited to obtain sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-06-30T00:00:00", "type": "cnvd", "title": "LDAP Account Manager Cross-Site Scripting Vulnerability (CNVD-2022-53547)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31085"], "modified": "2022-07-26T00:00:00", "id": "CNVD-2022-53547", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-53547", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2022-07-07T17:57:49", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5177-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 05, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ldap-account-manager\nCVE ID : CVE-2022-24851 CVE-2022-31084 CVE-2022-31085 CVE-2022-31086 \n CVE-2022-31087 CVE-2022-31088\n\nArseniy Sharoglazov discovered multiple security issues in LDAP Account\nManager (LAM), a web frontend for managing accounts in an LDAP directory,\nwhich could result in information disclosure or unauthenticated remote\ncode execution.\n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 8.0.1-0+deb11u1.\n\nWe recommend that you upgrade your ldap-account-manager packages.\n\nFor the detailed security status of ldap-account-manager please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/ldap-account-manager\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T18:28:44", "type": "debian", "title": "[SECURITY] [DSA 5177-1] ldap-account-manager security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24851", "CVE-2022-31084", "CVE-2022-31085", "CVE-2022-31086", "CVE-2022-31087", "CVE-2022-31088"], "modified": "2022-07-05T18:28:44", "id": "DEBIAN:DSA-5177-1:9861C", "href": "https://lists.debian.org/debian-security-announce/2022/msg00145.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-03-01T05:52:58", "description": "The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5177 advisory.\n\n - LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1. (CVE-2022-24851)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0. (CVE-2022-31084)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. (CVE-2022-31085)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.\n (CVE-2022-31086)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory. (CVE-2022-31087)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0. (CVE-2022-31088)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-06T00:00:00", "type": "nessus", "title": "Debian DSA-5177-1 : ldap-account-manager - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-24851", "CVE-2022-31084", "CVE-2022-31085", "CVE-2022-31086", "CVE-2022-31087", "CVE-2022-31088"], "modified": "2022-07-08T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ldap-account-manager", "p-cpe:/a:debian:debian_linux:ldap-account-manager-lamdaemon", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5177.NASL", "href": "https://www.tenable.com/plugins/nessus/162762", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5177. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162762);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/08\");\n\n script_cve_id(\n \"CVE-2022-24851\",\n \"CVE-2022-31084\",\n \"CVE-2022-31085\",\n \"CVE-2022-31086\",\n \"CVE-2022-31087\",\n \"CVE-2022-31088\"\n );\n\n script_name(english:\"Debian DSA-5177-1 : ldap-account-manager - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-5177 advisory.\n\n - LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP\n directory. The profile editor tool has an edit profile functionality, the parameters on this page are not\n properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in\n the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor\n tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an\n user can enter relative paths like\n ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like\n burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that\n path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The\n issue is fixed in version 7.9.1. (CVE-2022-24851)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings)\n stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from\n arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution\n if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in\n version 8.0. (CVE-2022-31084)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings)\n stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and\n password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by\n configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP\n OpenSSL extension and make sure session encryption is enabled in LAM main configuration. (CVE-2022-31085)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings)\n stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP\n scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the\n /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of\n LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.\n (CVE-2022-31086)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings)\n stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/,\n allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files\n under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the\n host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP\n scripts in (/var/lib/ldap-account-manager/)tmp directory. (CVE-2022-31087)\n\n - LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings)\n stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to\n enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in\n version 8.0. (CVE-2022-31088)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://security-tracker.debian.org/tracker/source-package/ldap-account-manager\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3e38a554\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5177\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-24851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-31084\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-31085\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-31086\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-31087\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-31088\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/ldap-account-manager\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the ldap-account-manager packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 8.0.1-0+deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31087\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-31086\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ldap-account-manager\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ldap-account-manager-lamdaemon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'ldap-account-manager', 'reference': '8.0.1-0+deb11u1'},\n {'release': '11.0', 'prefix': 'ldap-account-manager-lamdaemon', 'reference': '8.0.1-0+deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ldap-account-manager / ldap-account-manager-lamdaemon');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-08-10T07:21:05", "description": "\nArseniy Sharoglazov discovered multiple security issues in LDAP Account\nManager (LAM), a web frontend for managing accounts in an LDAP directory,\nwhich could result in information disclosure or unauthenticated remote\ncode execution.\n\n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 8.0.1-0+deb11u1.\n\n\nWe recommend that you upgrade your ldap-account-manager packages.\n\n\nFor the detailed security status of ldap-account-manager please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/ldap-account-manager](https://security-tracker.debian.org/tracker/ldap-account-manager)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-07-05T00:00:00", "type": "osv", "title": "ldap-account-manager - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31087", "CVE-2022-31088", "CVE-2022-31086", "CVE-2022-24851", "CVE-2022-31085", "CVE-2022-31084"], "modified": "2022-08-10T07:20:59", "id": "OSV:DSA-5177-1", "href": "https://osv.dev/vulnerability/DSA-5177-1", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
Information Disclosure
