CVE-2024-52792

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52792

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52792.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52792

Related

GHSA-6cp9-j5r7-xhcc
GHSA-fm9w-7m7v-wxqv
UBUNTU-CVE-2024-52792

Published

2024-12-17T22:15:07Z

Modified

2025-01-11T23:45:35.345615Z

Summary

[none]

Details

LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via mainmanage.php and confmain.php. This allows setting arbitrary config values and thus effectively bypassing mitigation of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via mainmanage.php and confmain.php. The values are written to config.cfg or serverprofile.conf in the format of settingsName: settingsValue line-by-line. An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.4-1

7.5-1

7.7-1

7.9-1

7.9.1-1

8.*

8.0.1-0+deb11u1

8.0.1-1

8.0.1-1.1

8.1-1

8.2-1

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0-1

Affected versions

8.*

8.3-1

8.5-1

8.6-1

8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}