directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <seelm...@apache.org>
Subject [SECURITY] CVE-2015-5349: Apache Directory Studio command injection vulnerability
Date Sat, 02 Jan 2016 14:32:51 GMT
CVE-2015-5349: Apache Directory Studio command injection vulnerability

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- Apache LDAP Studio 0.6.0 to 0.8.1
- Apache Directory Studio 1.0.0 to 2.0.0-M9

Description:
The CSV export didn’t escape the fields properly. Malicious users can
put specially crafted values into the LDAP server. When a user exports
that data into CSV formatted file, and subsequently opens it with a
spreadsheet application, the data is interpreted as a formula and executed.

Mitigation:
Users should upgrade to Apache Directory Studio 2.0.0-M10

Credit:
This issue was discovered by Muhammad Shahmeer Amir.

Mime
View raw message