New subject: [Bug 1844510] CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods

5 Jun 2020


      https://bugzilla.redhat.com/show_bug.cgi?id=1844510
Bug ID: 1844510
           Summary: CVE-2016-6497 groovy: allows attackers to conduct LDAP
                    entry poisoning attacks by leveraging setting
                    returnObjFlag to true for all search methods
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: gsuckevi@redhat.com
                CC: aboyko@redhat.com, aileenc@redhat.com,
                    akoufoud@redhat.com, alazarot@redhat.com,
                    almorale@redhat.com, anstephe@redhat.com,
                    asoldano@redhat.com, atangrin@redhat.com,
                    bbaranow@redhat.com, bmaxwell@redhat.com,
                    bmontgom@redhat.com, brian.stansberry@redhat.com,
                    cdewolf@redhat.com, chazlett@redhat.com,
                    darran.lofthouse@redhat.com, decathorpe@gmail.com,
                    dkreling@redhat.com, dosoudil@redhat.com,
                    drieden@redhat.com, eparis@redhat.com,
                    etirelli@redhat.com, extras-orphan@fedoraproject.org,
                    ggaughan@redhat.com, gmalinko@redhat.com,
                    gvarsami@redhat.com, ibek@redhat.com,
                    iweiss@redhat.com, janstey@redhat.com,
                    java-maint@redhat.com,
                    java-sig-commits@lists.fedoraproject.org,
                    jawilson@redhat.com, jburrell@redhat.com,
                    jcoleman@redhat.com, jochrist@redhat.com,
                    jokerman@redhat.com, jolee@redhat.com,
                    jperkins@redhat.com, jschatte@redhat.com,
                    jstastny@redhat.com, jwon@redhat.com,
                    kconner@redhat.com, krathod@redhat.com,
                    kverlaen@redhat.com, kwills@redhat.com,
                    ldimaggi@redhat.com, lgao@redhat.com, lkundrak@v3.sk,
                    loleary@redhat.com, mizdebsk@redhat.com,
                    mnovotny@redhat.com, msochure@redhat.com,
                    msrb@redhat.com, msvehla@redhat.com,
                    nstielau@redhat.com, nwallace@redhat.com,
                    paradhya@redhat.com, pjindal@redhat.com,
                    pmackay@redhat.com, psotirop@redhat.com,
                    puntogil@libero.it, rguimara@redhat.com,
                    rrajasek@redhat.com, rstancel@redhat.com,
                    rsvoboda@redhat.com, rsynek@redhat.com,
                    rwagner@redhat.com, sdaley@redhat.com,
                    smaestri@redhat.com, spinder@redhat.com,
                    sponnaga@redhat.com, tcunning@redhat.com,
                    theute@redhat.com, tkirby@redhat.com,
                    tom.jenkinson@redhat.com, vhalbert@redhat.com
  Target Milestone: ---
    Classification: Other
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in
Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging
setting returnObjFlag to true for all search methods.
References:
https://mail-archives.apache.org/mod_mbox/directory-users/201610.mbox/%3Cb7d...
Upstream commit:
http://svn.apache.org/viewvc/directory/sandbox/szoerner/groovyldap/src/main/...
-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1844510] New: CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods