CVE-2022-31084

Publication date 27 June 2022

Last updated 16 July 2025


Ubuntu priority

Cvss 3 Severity Score

9.0 · Critical

Score breakdown

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.

Status

Package Ubuntu Release Status
ldap-account-manager 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
25.04 plucky Ignored end of life, was needs-triage
24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Needs evaluation
21.10 impish Ignored end of life
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial Ignored end of standard support, was needs-triage
14.04 LTS trusty Ignored end of standard support, was needs-triage

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
ldap-account-manager

Severity score breakdown

CVSS version: CVSS v3.0

Base score 9.0 · Critical

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Access our resources on patching vulnerabilities