CVE-2021-41232 – github.com/stevenweathers/thunderdome-planning-poker

Package

Manager: go
Name: github.com/stevenweathers/thunderdome-planning-poker
Vulnerable Version: >=0 <1.16.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

EPSS: 0.00492 pctl0.64657

Details

Improper Neutralization of Special Elements used in an LDAP Query in stevenweathers/thunderdome-planning-poker ### Impact LDAP injection vulnerability, only affects instances with LDAP authentication enabled. ### Patches Patch for vulnerability released with v1.16.3. ### Workarounds Disable LDAP feature if in use ### References [OWASP LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html ) ### For more information If you have any questions or comments about this advisory: * Open an issue in [Thunderdome Github Repository](https://github.com/StevenWeathers/thunderdome-planning-poker) * Email us at [steven@weathers.me](mailto:steven@weathers.me)

Metadata

Created: 2021-11-08T18:16:21Z
Modified: 2024-02-08T22:24:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26cm-qrc6-mfgj/GHSA-26cm-qrc6-mfgj.json
CWE IDs: ["CWE-116", "CWE-74", "CWE-90"]
Alternative ID: GHSA-26cm-qrc6-mfgj
Finding: F404
Auto approve: 1