Source: ldap-account-manager X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ldap-account-manager. CVE-2024-23333[0]: | LDAP Account Manager (LAM) is a webfrontend for managing entries | stored in an LDAP directory. LAM's log configuration allows to | specify arbitrary paths for log files. Prior to version 8.7, an | attacker could exploit this by creating a PHP file and cause LAM to | log some PHP code to this file. When the file is then accessed via | web the code would be executed. The issue is mitigated by the | following: An attacker needs to know LAM's master configuration | password to be able to change the main settings; and the webserver | needs write access to a directory that is accessible via web. LAM | itself does not provide any such directories. The issue has been | fixed in 8.7. As a workaround, limit access to LAM configuration | pages to authorized users. https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23333 https://www.cve.org/CVERecord?id=CVE-2024-23333 Please adjust the affected versions in the BTS as needed.