Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP…
GitHub_M·CWE-74·Published 2021-11-02
Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.
Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.
Improper Neutralization of Special Elements used in an LDAP Query in stevenweathers/thunderdome-planning-poker in github.com/StevenWeathers/thunderdome-planning-poker
### Impact LDAP injection vulnerability, only affects instances with LDAP authentication enabled. ### Patches Patch for vulnerability released with v1.16.3. ### Workarounds Disable LDAP feature if in use ### References [OWASP LDAP Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html ) ### For more information If you have any questions or comments about this advisory: * Open an issue in [Thunderdome Github Repository](https://github.com/StevenWeathers/thunderdome-planning-poker) * Email us at [steven@weathers.me](mailto:steven@weathers.me)
Thunderdome es una herramienta de póker de planificación ágil de código abierto con el tema de la Lucha por los puntos. En las versiones afectadas se presenta una vulnerabilidad de inyección LDAP que afecta a las instancias con autenticación LDAP habilitada. El nombre de usuario proporcionado no se escapa correctamente. Este problema ha sido parcheado en la versión 1.16.3. Si los usuarios no pueden actualizar deberían deshabilitar la función LDAP si está en uso
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.5 | 10.0 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.1 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |
| 3.1 | Primary | cve.org | 8.1 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |
| 3.1 | Secondary | NVD | 8.1 | 2.2 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |
| 3.1 | Secondary | GHSA | 8.1 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |