CVE-2021-32651 LOW

CVE-2021-32651: LDAP injection via OneDev may leak some LDAP directory information

Vendor Theonedev
Product onedev
Weakness CWE-90 · LDAP injection
Published June 1, 2021
Last update August 3, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.

Key dates

02Disclosure timeline

June 1, 2021 CVE published
August 3, 2024 Record updated