LDAP Entry Poisoning
Description
Without proper access control, executing an LDAP statement that contains a user-controlled value can allow an attacker to abuse poorly configured LDAP context
Examples
Insecure Code
scala
new javax.naming.directory.SearchControls($SCOPE, $CLIMIT, $TLIMIT, $ATTR, true, $DEREF)Secure Code
scala
new javax.naming.directory.SearchControls(SearchControls.SUBTREE_SCOPE, 0, 0, new String[] {"cn"}, false, SearchControls.DEREF_FIND_ALL)Remediation
Validate and sanitize user-controlled input before using it in LDAP statements
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0056 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-358 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | ldap, injection |
| OWASP | N/A |