Source: ldap-account-manager Version: 8.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ldap-account-manager. CVE-2024-52792[0]: | LDAP Account Manager (LAM) is a php webfrontend for managing entries | (e.g. users, groups, DHCP settings) stored in an LDAP directory. In | affected versions LAM does not properly sanitize configuration | values, that are set via `mainmanage.php` and `confmain.php`. This | allows setting arbitrary config values and thus effectively | bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. | Configuration values for the main config or server profiles are set | via `mainmanage.php` and `confmain.php`. The values are written to | `config.cfg` or `serverprofile.conf` in the format of `settingsName: | settingsValue` line-by-line. An attacker can smuggle arbitrary | config values in a config file, by inserting a newline into certain | config fields, followed by the value. This vulnerability has been | addressed in version 9.0. All users are advised to upgrade. There | are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-52792 https://www.cve.org/CVERecord?id=CVE-2024-52792 [1] https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc Please adjust the affected versions in the BTS as needed. Regards, Salvatore
