GHSA-2vg8-q4c2-5cw3

OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under `/json/{realm}/users`. In `IdentityResourceV1.queryCollection()`, the HTTP query parameter `_queryId` is passed to a `CrestQuery` object with `escapeQueryId` **explicitly set to `false`**, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to `DJLDAPv3Repo.getFilter()` where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.

## Affected Endpoint

| Endpoint | Auth Required | Injection Parameter | |----------|--------------|---------------------| | `GET /openam/json/{realm}/users?_queryId=<INJECTION>` | SSO Token | `_queryId` | | `GET /openam/json/{realm}/groups?_queryId=<INJECTION>` | SSO Token (TBD) | `_queryId` |

## Background: CVE-2021-29156

CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached `DJLDAPv3Repo.getFilter()` unescaped. The fix introduced the `escapeQueryId` flag in `CrestQuery` (defaulting to `true`) and added `Filter.escapeAssertionValue()` in the filter-building path:

## Credit

Discovered by **JD-Security SHENYI Team**