CVE-2022-29155

high-risk

Published 2022-05-04

In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

Do I need to act?

23.4% chance of exploitation in next 30 days

EPSS score — higher than 77% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Openldap

Debian Linux

H300S Firmware

H500S Firmware

H700S Firmware

H700E Firmware

H410S Firmware

H410C Firmware

Affected Vendors

Debian Openldap Netapp

References (8)

Exploit https://bugs.openldap.org/show_bug.cgi?id=9815

Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00032.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220609-0007/

Third Party Advisory https://www.debian.org/security/2022/dsa-5140

Exploit https://bugs.openldap.org/show_bug.cgi?id=9815

Mailing List https://lists.debian.org/debian-lts-announce/2022/05/msg00032.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20220609-0007/

Third Party Advisory https://www.debian.org/security/2022/dsa-5140

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 16/34 · Moderate