CVE-2022-31085
Last modified
CVE-2022-31085 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ldap-Account-Manager | Ldap Account Manager | < 8.0 |
| Debian | Debian Linux | 11.0 |
References
- https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4Patch, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5177Third Party Advisory
- https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4Patch, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5177Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-31085?
How severe is CVE-2022-31085?
How do I fix CVE-2022-31085?
Are you affected by CVE-2022-31085?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST