CVE-2022-31086 – LDAP Account Manager versions before 8.0 contai... (How to Fix)

Q: What is the severity of CVE-2022-31086?

CVE-2022-31086 has a CVSS score of 8.8 (HIGH). LDAP Account Manager versions before 8.0 contain a vulnerability where incorrect regular expressions allow uploading PHP scripts to the config/templates/pdf directory. This could lead to remote code execution if that directory is accessible to remote users, though this is not the default configuration. Organizations running vulnerable LAM versions with web-accessible template directories are affected.

📋 TL;DR

LDAP Account Manager versions before 8.0 contain a vulnerability where incorrect regular expressions allow uploading PHP scripts to the config/templates/pdf directory. This could lead to remote code execution if that directory is accessible to remote users, though this is not the default configuration. Organizations running vulnerable LAM versions with web-accessible template directories are affected.

💻 Affected Systems

Products:

LDAP Account Manager (LAM)

Versions: All versions prior to 8.0

Operating Systems: All platforms running LAM

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if config/templates/pdf directory is accessible to remote users, which is not the default configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Ldap Account Manager by Ldap Account Manager

View all CVEs affecting Ldap Account Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to execute arbitrary commands, steal data, or pivot to other systems.

🟠

Likely Case

Limited impact since the vulnerable directory is not web-accessible by default; exploitation requires specific misconfigurations.

🟢

If Mitigated

No impact if running patched version or if directory access controls prevent remote access to config/templates/pdf.

🌐 Internet-Facing: MEDIUM - While not default, misconfigured internet-facing instances could be exploited for RCE.

🏢 Internal Only: LOW - Internal instances with proper access controls have minimal risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to upload files and web access to the vulnerable directory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0

Vendor Advisory: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x

Restart Required: Yes

Instructions:

1. Backup current LAM configuration and data. 2. Download LAM version 8.0 or later from official sources. 3. Replace existing installation with new version. 4. Restart web server service. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict directory access

all

Ensure config/templates/pdf directory is not accessible via web server

# For Apache: Add to .htaccess or virtual host config
<Directory "/path/to/lam/config/templates/pdf">
    Require all denied
</Directory>
# For Nginx: Add to server block
location /lam/config/templates/pdf {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Implement strict access controls to prevent web access to config/templates/pdf directory
Monitor file upload functionality and audit directory permissions regularly

🔍 How to Verify

Check if Vulnerable:

Check LAM version via web interface or by examining installed files; versions below 8.0 are vulnerable if config/templates/pdf is web-accessible.

Check Version:

# Check LAM version via web interface or config file
grep 'lamVersion' /path/to/lam/config/lam.conf

Verify Fix Applied:

Confirm LAM version is 8.0 or higher and test that PHP files cannot be uploaded to config/templates/pdf directory.

📡 Detection & Monitoring

Log Indicators:

File upload attempts to config/templates/pdf directory
PHP file execution from unusual locations
Web server access logs showing requests to /lam/config/templates/pdf/

Network Indicators:

HTTP POST requests with file uploads to LAM endpoints
Unexpected outbound connections from web server

SIEM Query:

source="web_server_logs" AND (uri="/lam/config/templates/pdf/*" OR uri="*/upload*" AND referer="*lam*")

📊 Metadata

CVE ID: CVE-2022-31086

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x Third Party Advisory
https://www.debian.org/security/2022/dsa-5177 Third Party Advisory
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-q9pc-x84w-982x Third Party Advisory
https://www.debian.org/security/2022/dsa-5177 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31086, you might also want to check these: