Headline
CVE-2022-47581: Advisory Report for M-Link Incorrect Access Control Vulnerability
Isode M-Vault 16.0v0 through 17.x before 17.0v24 can crash upon an LDAP v1 bind request.
Summary
Denial of Service due to application crash
Release Date
21st December 2022
Product
M-Vault
Version(s)
16.0v0 to 17.0v23
CVE ID
CVE-2022-47581
Summary of vulnerability
This advisory discloses a critical vulnerability introduced in version R16.0v0 of M-Vault. The following versions are affected by this vulnerability:
- M-Vault R16.0v0 to R17.0v23.
This is a bug where an LDAPv1 bind request leads to a server crash, thereby leading to denial of service.
Severity
Isode rates the severity level of this vulnerability as high, according to the CVSS system (details can be found at www.first.org).
Mitigation
This vulnerability has been fixed in M-Vault R17.0v24 and affected services are advised to immediately upgrade to this version. Current later versions (such as the subsequent major release R18.0) are not affected by this vulnerability.
Acknowledgements
This vulnerability was discovered, with thanks from Isode, by Jerome Nokin of the NATO Cyber Security Centre (NCSC).