CVE-2016-6497 - main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attacker

CVE-2016-6497

Summary

main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

References

Vulnerable Configurations

cpe:2.3:a:apache:groovy_ldap:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy_ldap:*:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 28-05-2020 - 15:59)
Impact:
Exploitability:

CWE

CWE-254

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

refmap via4

bid	95929
confirm	http://svn.apache.org/viewvc/directory/sandbox/szoerner/groovyldap/src/main/java/org/apache/directory/groovyldap/LDAP.java?r1=1765362&r2=1765361&pathrev=1765362&view=patch
misc	https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
mlist	[directory-users] 20161029 Security vulnerability in Groovy LDAP API

Last major update

28-05-2020 - 15:59

Published

18-01-2017 - 22:59

Last modified

28-05-2020 - 15:59