CVE-2026-42568
MEDIUM4.3Yamcs Vulnerable to LDAP Injection in LdapAuthModule
Description
### Summary An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. ### Root Cause **File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233` The `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping: ```java // VULNERABLE var filter = userFilter.replace("{0}", username); var searchResult = getSingleResult(ctx, userBase, filter, controls); ``` LDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization. ### Impact With a known valid password, `username=*` authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password. This affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file. ### Proof of Concept ```bash curl -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=*&password=known_password" # Returns token for first matching LDAP user ``` ### Fix Apply RFC 4515 escaping before filter construction: ```java private static String escapeLdapFilter(String input) { return input .replace("\\", "\\5c") .replace("*", "\\2a") .replace("(", "\\28") .replace(")", "\\29") .replace("\0", "\\00"); } var filter = userFilter.replace("{0}", escapeLdapFilter(username)); ```
Affected packages (1)
- Maven/org.yamcs:yamcs-corefrom 0, < 5.12.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |