CVE-2022-31084

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.

How to fix CVE-2022-31084

To remediate CVE-2022-31084, upgrade the affected package to a fixed version below.

—upgrade to 8.0.1-0+deb11u1 or later

Is CVE-2022-31084 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 8.0.1-0+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-31084