CVE-2022-29155

Description

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

How to fix CVE-2022-29155

To remediate CVE-2022-29155, upgrade the affected package to a fixed version below.

• —upgrade to 2.6.2-r0 or later
• —upgrade to 2.5.12 or later
• —upgrade to 2.4.57+dfsg-3+deb11u1 or later
• —upgrade to 2.4.44+dfsg-5+deb9u9 or later
• —upgrade to 2.4.47+dfsg-3+deb10u7 or later

Is CVE-2022-29155 being exploited?

Moderate — EPSS is 13.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 2.6.2-r0
• >= 2.0.0, < 2.5.12, >= 2.6.0, < 2.6.2
• from 0, < 2.4.57+dfsg-3+deb11u1
• from 0, < 2.4.44+dfsg-5+deb9u9
• from 0, < 2.4.47+dfsg-3+deb10u7

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-29155
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-29155
• WEBbugs.openldap.org/show_bug.cgi?id=9815
• WEBlists.debian.org/debian-lts-announce/2022/05/msg00032.html
• WEB