GHSA-r8wq-qrxc-hmcm

Source

https://github.com/advisories/GHSA-r8wq-qrxc-hmcm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-r8wq-qrxc-hmcm/GHSA-r8wq-qrxc-hmcm.json

Aliases

Published

2021-11-29T17:58:59Z

Modified

2023-11-08T04:07:27.373064Z

Details

https://github.com/python-ldap/python-ldap/issues/424

Impact

The LDAP schema parser of python-ldap 3.3.1 and earlier are vulnerable to a regular expression denial-of-service attack. The issue affects clients that use ldap.schema package to parse LDAP schema definitions from an untrusted source.

Patches

The upcoming release of python-ldap 3.4.0 will contain a workaround to prevent ReDoS attacks. The schema parser refuses schema definitions with an excessive amount of backslashes.

Workarounds

As a workaround, users can check input for excessive amount of backslashes in schemas. More than a dozen backslashes per line are atypical.

References

CWE-1333

For more information

If you have any questions or comments about this advisory: * Open an issue in python-ldap tracker

References

Affected packages

PyPI / python-ldap

Package

Name: python-ldap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.4.0

Affected versions

2.*

2.3.13

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.12

2.4.13

2.4.14

2.4.15

2.4.16

2.4.17

2.4.18

2.4.19

2.4.20

2.4.21

2.4.22

2.4.25

2.4.26

2.4.27

2.4.28

2.4.29

2.4.30

2.4.31

2.4.32

2.4.33

2.4.35

2.4.36

2.4.37

2.4.38

2.4.39

2.4.40

2.4.41

2.4.42

2.4.43

2.4.44

2.4.45

2.5.1

2.5.2

3.*

3.0.0b1

3.0.0b2

3.0.0b3

3.0.0b4

3.0.0

3.1.0

3.2.0

3.3.0

3.3.1