CVE-2025-59518

Published: Sep 17, 2025Modified: Sep 17, 2025

8.0

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 1.3 / Impact: 6.0

Source: MITRE (Secondary)

Description

In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server.

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/228d01945d48015f3f9ea8a8dc64d7e6a27750e9

Source: cve@mitre.org

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/3462

Source: cve@mitre.org

Timeline

No history available yet.