rpms
/
pki-core
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'i9c'
${ noResults }
pki-core/SOURCES/0001-CVE-2023-4727-Fix-toke...

61 lines
2.5 KiB
Raw Permalink Blame History

From 9f9ede3fe2a6ae95230411d48183dc6880ff3c52 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 7691a98a40..fb627b88cb 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -29,6 +29,7 @@ import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -173,7 +174,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -254,7 +259,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.42.0
Reference in new issue View Git Blame Copy Permalink