Vulnerability Details CVE-2022-31086
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 56.8%
CVSS Severity
CVSS v3 Score 6.6
CVSS v2 Score 6.0
References
- https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
- https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x
- https://www.debian.org/security/2022/dsa-5177
- https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
- https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x
- https://www.debian.org/security/2022/dsa-5177
Products affected by CVE-2022-31086
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:-
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:3.6
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:4.2.1
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:4.3
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:6.3
-
cpe:2.3:a:ldap-account-manager:ldap_account_manager:7.9.1
-
cpe:2.3:o:debian:debian_linux:11.0