GHSA-cqh3-jg8p-336j
Yamcs Vulnerable to LDAP Injection in LdapAuthModule
Details
### Summary
An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.
### Root Cause
**File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233`
The `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:
```java // VULNERABLE var filter = userFilter.replace("{0}", username); var searchResult = getSingleResult(ctx, userBase, filter, controls); ```
LDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization.
### Impact
With a known valid password, `username=*` authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.
This affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file.
### Proof of Concept
```bash curl -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=*&password=known_password" # Returns token for first matching LDAP user ```
### Fix
Apply RFC 4515 escaping before filter construction:
```java private static String escapeLdapFilter(String input) { return input .replace("\\", "\\5c") .replace("*", "\\2a") .replace("(", "\\28") .replace(")", "\\29") .replace("\0", "\\00"); } var filter = userFilter.replace("{0}", escapeLdapFilter(username)); ```
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.12.7 # pom.xml: bump <version>5.12.7</version> for org.yamcs:yamcs-core