CVE-2021-43782: Indirect LDAP injection via the ldap_id attribute of a user

Affected versions

< 13.2.99.31, >= 13.1-1 && < 13.1-5, >= 13.2-1 && < 13.2-2

Patched versions

13.2.99.31, 13.1-5, 13.2-3

Description

Impact

Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization.
A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable.

Patches

The following versions contain the fix:

• Tuleap Community Edition 13.2.99.31
• Tuleap Enterprise Edition 13.1-5
• Tuleap Enterprise Edition 13.2-3

For more information

If you have any questions or comments about this advisory, reach out to us via the contact information provided on the Tuleap.org security page.

References

• request #24149 Indirect LDAP injection via the ldap_id attribute of a user
• bd47f29
• https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=bd47f29847fcd6a68d359bc8aefb8749bb8a1b7c