CVE-2024-23333

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23333

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23333.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23333

Downstream

UBUNTU-CVE-2024-23333

Related

GHSA-fm9w-7m7v-wxqv

Published

2024-03-18T21:15:06Z

Modified

2025-07-02T00:30:49.824621Z

Summary

[none]

Details

LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.

References

Affected packages

Debian:11 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.4-1

7.5-1

7.7-1

7.9-1

7.9.1-1

8.*

8.0.1-0+deb11u1

8.0.1-1

8.0.1-1.1

8.1-1

8.2-1

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.3-1

8.5-1

8.6-1

8.7-1

9.*

9.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/debian/ldap-account-manager?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.7-1

Affected versions

8.*

8.3-1

8.5-1

8.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ldapaccountmanager/lam

Affected ranges

Type: GIT
Repo: https://github.com/ldapaccountmanager/lam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a8293d8dcc4949bf050132bfa9447369e15297d6

Affected versions

8.*

8.5

8.6

8.6.RC1

8.7.RC1

Other

lam_5_4

lam_5_4_RC1

lam_5_5

lam_5_5_RC1

lam_5_6

lam_5_6_RC1

lam_5_7

lam_5_7_RC1

lam_6_0

lam_6_0_1

lam_6_0_RC1

lam_6_0_RC2

lam_6_1

lam_6_1_RC1

lam_6_2

lam_6_2_1

lam_6_2_RC1

lam_6_3

lam_6_3_RC1

lam_6_4

lam_6_4_RC1

lam_6_5

lam_6_5_RC1

lam_6_6

lam_6_6_RC1

lam_6_7

lam_6_7_RC1

lam_6_8

lam_6_8_RC1

lam_6_9

lam_6_9_RC1

lam_7_0

lam_7_0_RC1

lam_7_1

lam_7_1_RC1

lam_7_2

lam_7_2_RC1

lam_7_3

lam_7_3_RC1

lam_7_4

lam_7_4_RC1

lam_7_5

lam_7_5_RC1

lam_7_6

lam_7_6_RC1

lam_7_7

lam_7_7_RC1

lam_7_8

lam_7_8_RC1

lam_7_9

lam_7_9_1

lam_7_9_RC1

lam_8_0

lam_8_0_1

lam_8_0_RC1

lam_8_1

lam_8_1_RC1

lam_8_2

lam_8_2_RC1

lam_8_3

lam_8_3_RC1

lam_8_4

lam_8_4_RC1

lam_8_5_RC1

untagged-0f11e4b04e249cac51c5