CVE-2020-5281

Published: Mar 25, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP. Issue is fixed in version 3.9.1 by sanitisation of the input.

Affected (1)

Products: Cesnet: Perun

Cesnet

1 product

Perun

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cesnet Perun	Before 3.9.1

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References (6)

https://github.com/CESNET/perun/commit/ac527bc3225a64208ee5cee59e5918ee360ca039

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/CESNET/perun/pull/2635

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/CESNET/perun/security/advisories/GHSA-gj88-9q3f-72m3

Source: security-advisories@github.com

Third Party Advisory

https://github.com/CESNET/perun/commit/ac527bc3225a64208ee5cee59e5918ee360ca039

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/CESNET/perun/pull/2635

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/CESNET/perun/security/advisories/GHSA-gj88-9q3f-72m3

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.