GHSA-cqh3-jg8p-336j

Source

https://github.com/advisories/GHSA-cqh3-jg8p-336j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cqh3-jg8p-336j/GHSA-cqh3-jg8p-336j.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cqh3-jg8p-336j

Aliases

CVE-2026-42568

Published

2026-05-26T23:39:55Z

Modified

2026-06-11T14:15:17.204229482Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Yamcs Vulnerable to LDAP Injection in LdapAuthModule

Details

Summary

An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233

The username parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:

// VULNERABLE
var filter = userFilter.replace("{0}", username);
var searchResult = getSingleResult(ctx, userBase, filter, controls);

LDAP wildcard characters (*, (, )) are accepted without sanitization.

Impact

With a known valid password, username=* authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.

This affects deployments that use org.yamcs.security.LdapAuthModule in their etc/security.yaml configuration file.

Proof of Concept

curl -X POST "http://TARGET:8090/auth/token" \
  -d "grant_type=password&username=*&password=known_password"
# Returns token for first matching LDAP user

Fix

Apply RFC 4515 escaping before filter construction:

private static String escapeLdapFilter(String input) {
    return input
        .replace("\\", "\\5c")
        .replace("*",  "\\2a")
        .replace("(",  "\\28")
        .replace(")",  "\\29")
        .replace("\0", "\\00");
}
var filter = userFilter.replace("{0}", escapeLdapFilter(username));

Database specific

{
    "github_reviewed_at": "2026-05-26T23:39:55Z",
    "nvd_published_at": "2026-06-10T23:16:46Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-90"
    ]
}

References

Affected packages

Maven / org.yamcs:yamcs-core

Package

Name: org.yamcs:yamcs-core; View open source insights on deps.dev
Purl: pkg:maven/org.yamcs/yamcs-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.12.7

Affected versions

0.*

0.29.3

0.30.0

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.8

3.4.11

4.*

4.0.0

4.0.1

4.1.1

4.1.2

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.7

4.7.1

4.7.3

4.8.0

4.8.1

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.10.9

5.*

5.0.0

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.6.0

5.6.1

5.6.2

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

5.7.10

5.7.11

5.7.12

5.7.13

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.8.1

5.9.9

5.9.10

5.9.11

5.9.12

5.10.0

5.10.1

5.10.2

5.10.3

5.10.4

5.10.5

5.10.6

5.10.7

5.10.8

5.10.9

5.10.10

5.10.11

5.10.12

5.11.0

5.11.1

5.11.2

5.11.3

5.11.4

5.11.5

5.11.6

5.11.7

5.11.8

5.11.9

5.11.10

5.11.11

5.11.12

5.11.13

5.12.0

5.12.1

5.12.2

5.12.3

5.12.4

5.12.5

5.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-cqh3-jg8p-336j/GHSA-cqh3-jg8p-336j.json"