CVE-2024-52792

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52792

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52792.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52792

Downstream

UBUNTU-CVE-2024-52792

Related

GHSA-6cp9-j5r7-xhcc
GHSA-fm9w-7m7v-wxqv

Published

2024-12-17T22:15:07Z

Modified

2025-07-01T16:06:48.430084Z

Summary

[none]

Details

LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via mainmanage.php and confmain.php. This allows setting arbitrary config values and thus effectively bypassing mitigation of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via mainmanage.php and confmain.php. The values are written to config.cfg or serverprofile.conf in the format of settingsName: settingsValue line-by-line. An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.4-1

7.5-1

7.7-1

7.9-1

7.9.1-1

8.*

8.0.1-0+deb11u1

8.0.1-1

8.0.1-1.1

8.1-1

8.2-1

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0-1

Affected versions

8.*

8.3-1

8.5-1

8.6-1

8.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ldapaccountmanager/lam

Affected ranges

Type: GIT
Repo: https://github.com/ldapaccountmanager/lam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1fbcbea3c17e77d65d8ea0ff73c1e663387d25b5

Affected versions

8.*

8.5

8.6

8.6.RC1

8.7

8.7.RC1

8.8

8.8.RC1

8.9

8.9.RC1

9.*

9.0.RC1

Other

lam_5_4

lam_5_4_RC1

lam_5_5

lam_5_5_RC1

lam_5_6

lam_5_6_RC1

lam_5_7

lam_5_7_RC1

lam_6_0

lam_6_0_1

lam_6_0_RC1

lam_6_0_RC2

lam_6_1

lam_6_1_RC1

lam_6_2

lam_6_2_1

lam_6_2_RC1

lam_6_3

lam_6_3_RC1

lam_6_4

lam_6_4_RC1

lam_6_5

lam_6_5_RC1

lam_6_6

lam_6_6_RC1

lam_6_7

lam_6_7_RC1

lam_6_8

lam_6_8_RC1

lam_6_9

lam_6_9_RC1

lam_7_0

lam_7_0_RC1

lam_7_1

lam_7_1_RC1

lam_7_2

lam_7_2_RC1

lam_7_3

lam_7_3_RC1

lam_7_4

lam_7_4_RC1

lam_7_5

lam_7_5_RC1

lam_7_6

lam_7_6_RC1

lam_7_7

lam_7_7_RC1

lam_7_8

lam_7_8_RC1

lam_7_9

lam_7_9_1

lam_7_9_RC1

lam_8_0

lam_8_0_1

lam_8_0_RC1

lam_8_1

lam_8_1_RC1

lam_8_2

lam_8_2_RC1

lam_8_3

lam_8_3_RC1

lam_8_4

lam_8_4_RC1

lam_8_5_RC1

untagged-0f11e4b04e249cac51c5