[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationSchemeImpl

Fri, 13 Jun 2025 10:46:25 -0700 


    [ 
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17973534#comment-17973534
 ] 

Jeffrey Adamson commented on DERBY-7147:
----------------------------------------

Are the official release numbers listed on this work item other than 10.17.1.0 
i.e. 10.14.3, 10.15.2.1. and 10.16.1.2 expected to ever be made available? 

We have had to work round scanners flagging this and can no longer can derby 
implementation jars as a result of this CVE as we also can not require a Java 
21 runtime. While I can see the primary work of fixing seems to have been done 
in the source code, custom builds do not resolve the issues related to external 
tooling or 3rd parties.

> LDAP injection vulnerability in LDAPAuthenticationSchemeImpl
> ------------------------------------------------------------
>
>                 Key: DERBY-7147
>                 URL: https://issues.apache.org/jira/browse/DERBY-7147
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.16.1.1
>            Reporter: Richard N. Hillegas
>            Assignee: Richard N. Hillegas
>            Priority: Major
>             Fix For: 10.14.3, 10.15.2.1, 10.16.1.2, 10.17.1.0
>
>         Attachments: LDAPauthenticationVulnerability.pdf, 
> derby-7147-01-aa-reformatForReadability.diff, 
> derby-7147-02-aa-escapeLDAPsearchFilter.diff, 
> derby-7147-02-ab-escapeLDAPsearchFilter.diff, 
> derby-7147-03-aa-updateLDAPinstructions.diff, 
> derby-7147-03-aa-updateLDAPinstructions.tar, 
> derby-7147-03-ab-updateLDAPinstructions.diff, 
> derby-7147-03-ab-updateLDAPinstructions.tar, 
> derby-7147-04-aa-pointLDAPTestAtInstructions.diff, releaseNote.html
>
>
> An LDAP injection vulnerability has been identified in 
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been 
> provided, but there is a possibility that an intruder could bypass 
> authentication checks in Derby-powered applications which rely on external 
> LDAP servers.
> For more information on LDAP injection, see 
> https://www.synopsys.com/glossary/what-is-ldap-injection.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to