[ 
https://issues.apache.org/jira/browse/GEODE-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10591:
---------------------------------
    Description: Affected versions of this package are vulnerable to LDAP 
Injection in the `DefaultLdapRealm` class. An attacker can bypass 
authentication or impersonate other users by injecting LDAP special characters 
into the Distinguished Name (DN) construction during LDAP bind authentication.  
(was: Affected versions of this package are vulnerable to Allocation of 
Resources Without Limits or Throttling due to the lack of enforced limits in 
the `HPackDecoder` process. An attacker can exhaust system memory by sending 
oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement 
applies the configured header list size limit.)

> Remediation of CVE-2026-49268
> -----------------------------
>
>                 Key: GEODE-10591
>                 URL: https://issues.apache.org/jira/browse/GEODE-10591
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>
> Affected versions of this package are vulnerable to LDAP Injection in the 
> `DefaultLdapRealm` class. An attacker can bypass authentication or 
> impersonate other users by injecting LDAP special characters into the 
> Distinguished Name (DN) construction during LDAP bind authentication.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to