Headline
CVE-2022-29155: 9815 – Serious SQL injection vulnerability in back-sql
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
Issue 9815 - Serious SQL injection vulnerability in back-sql
Summary: Serious SQL injection vulnerability in back-sql
Status:
VERIFIED FIXED
Alias:
None
Product:
OpenLDAP
Classification:
Unclassified
Component:
backends (show other issues)
Version:
2.6.1
Hardware:
All Linux
Importance:
— normal
Target Milestone:
2.5.12
Assignee:
OpenLDAP project
URL:
Keywords:
Duplicates (1):
6461 (view as issue list)
Depends on:
Blocks:
Reported:
2022-03-23 09:25 UTC by jajcus
Modified:
2022-05-04 16:18 UTC (History)
CC List:
5 users (show)
See Also:
- 6461
Attachments
Escape filter values (6.46 KB, patch)
2022-03-23 12:46 UTC, Howard Chu
Details
fixed patch (6.59 KB, patch)
2022-03-23 13:00 UTC, Howard Chu
Details
additional patch (743 bytes, patch)
2022-03-23 15:24 UTC, Howard Chu
Details
fixed substrings (8.52 KB, patch)
2022-03-24 13:00 UTC, Howard Chu
Details
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)
Note You need to log in before you can comment on or make changes to this issue.
Related news
GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vulnerability in gf_isom_parse_movie_boxes_internal due to improper return value handling of GF_SKIP_BOX, which causes a Denial of Service. This vulnerability was fixed in commit 37592ad.
SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality.
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...