[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl

Wed, 10 Jan 2024 10:19:07 -0800 


    [ 
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17805250#comment-17805250
 ] 

Richard N. Hillegas commented on DERBY-7147:
--------------------------------------------

No one has volunteered to manage a fix-bearing release built off the 10.16 
branch. As stated above in previous comments, you will need to build your own 
10.16 jar files. Instructions for building 10.16 can be found here: 
https://svn.apache.org/repos/asf/db/derby/code/branches/10.16/BUILDING.html You 
will need the Derby source from the head of the 10.16 branch: 
https://svn.apache.org/repos/asf/db/derby/code/branches/10.16/ Subversion is 
the tool you will need to grab that source.

> LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
> ------------------------------------------------------------
>
>                 Key: DERBY-7147
>                 URL: https://issues.apache.org/jira/browse/DERBY-7147
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.16.1.1
>            Reporter: Richard N. Hillegas
>            Assignee: Richard N. Hillegas
>            Priority: Major
>             Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0
>
>         Attachments: LDAPauthenticationVulnerability.pdf, 
> derby-7147-01-aa-reformatForReadability.diff, 
> derby-7147-02-aa-escapeLDAPsearchFilter.diff, 
> derby-7147-02-ab-escapeLDAPsearchFilter.diff, 
> derby-7147-03-aa-updateLDAPinstructions.diff, 
> derby-7147-03-aa-updateLDAPinstructions.tar, 
> derby-7147-03-ab-updateLDAPinstructions.diff, 
> derby-7147-03-ab-updateLDAPinstructions.tar, 
> derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html
>
>
> An LDAP injection vulnerability has been identified in 
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been 
> provided, but there is a possibility that an intruder could bypass 
> authentication checks in Derby-powered applications which rely on external 
> LDAP servers.
> For more information on LDAP injection, see 
> https://www.synopsys.com/glossary/what-is-ldap-injection.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to