-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2016-8750: Apache Karaf's LDAPLoginModule is vulnerable to LDAP injection Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache Karaf prior to 4.0.8 Description: Apache Karaf uses the LDAPLoginModule to authenticate users to a directory via LDAP. However, it is not encoding usernames properly and hence is vulnerable to LDAP injection attacks. While it appears that it not possible to exploit this vulnerability to allow an attacker to gain remote access, it allows an attacker to insert special characters into the search query step. Therefore, it can potentially be exploited as part of a Denial Of Service attack. This has been fixed in revision: https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=ac07cb2 Migration: Apache Karaf users should upgrade to 4.0.8 or later as soon as possible. Credit: This issue was reported by Colm O hEigeartaigh of Talend. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYkc56AAoJEL/y7kLIKC52660QAKHpTfaclfh8BfxLuDwENynF robX69nTsCrKUL9ryxmkw3dCIGkv/ltJyadUvr3dZpzksUngo95al5E5rG7ZQ9q9 uZsvxpvIIhzLPgpRF6QrkW/LkOYxGTtPm5SWrE0tHkXY7G38BIJQXPITWQymzMST F1HkPJwgfhkjzdgpHL4u6o/RAuOvljiiC0jb/f5SXtZZj4ZRF98+0eZxU4pzr44s 8a0Jtl5HqAoBte1hUNmH4hHqldm61ojNEJiJXdFSlm4zT9Clm6adQ+uwojw27B5K EsFbgmpek7NwYYF1cH8Q+DPGtgmH/sWaPp1DzsjrrCpQXMF/s1mTuJVKxyycsYBV +uV8L1m4zYsmVP5ysmquCmWm/mpACJhe6/ONr4diLVUCvR2kwwyqVw/ArfoLaQw7 4G48QbcM7c5AK1WjV9C4LsaC0hB8PAWHM54GZRDDvxZ9IVR+vhCIP8UbAi3Ega+n B36pOqPK1sC9ceNt+Xrp4zf9uRzlvu7t22zXQf6HKIu3FxUyGEzUY6w/BAvn2vYL 0VJzgQwZHPj85fiRyjPZZfcp/e2m/hgZDeZcQljTpA434tzP9JMGiJbTwujufK5l UZvDk97FvylyBAl2RD0GdooVQTIcfIW4Mxcj3oFb4l6w0CyTpiy2xXfWkDT3gGE4 v1h47xUxrXuThMfDZ7A7 =V/zt -----END PGP SIGNATURE-----