[
https://issues.apache.org/jira/browse/GEODE-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10591:
---------------------------------
Description: Affected versions of this package are vulnerable to LDAP
Injection in the `DefaultLdapRealm` class. An attacker can bypass
authentication or impersonate other users by injecting LDAP special characters
into the Distinguished Name (DN) construction during LDAP bind authentication.
(was: Affected versions of this package are vulnerable to Allocation of
Resources Without Limits or Throttling due to the lack of enforced limits in
the `HPackDecoder` process. An attacker can exhaust system memory by sending
oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement
applies the configured header list size limit.)
> Remediation of CVE-2026-49268
> -----------------------------
>
> Key: GEODE-10591
> URL: https://issues.apache.org/jira/browse/GEODE-10591
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> Affected versions of this package are vulnerable to LDAP Injection in the
> `DefaultLdapRealm` class. An attacker can bypass authentication or
> impersonate other users by injecting LDAP special characters into the
> Distinguished Name (DN) construction during LDAP bind authentication.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)