CVE-2022-31253

NameCVE-2022-31253
DescriptionA Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openldap (PTS)buster, buster (security)2.4.47+dfsg-3+deb10u7fixed
bullseye, bullseye (security)2.4.57+dfsg-3+deb11u1fixed
trixie, bookworm2.5.13+dfsg-5fixed
sid2.5.16+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openldapsource(unstable)(not affected)

Notes

- openldap <not-affected> (SuSE-specific packaging issue)

Search for package or bug name: Reporting problems