CVE-2022-31085

Publication date 27 June 2022

Last updated 16 July 2025


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.

Status

Package Ubuntu Release Status
ldap-account-manager 26.04 LTS resolute
Not affected
25.10 questing
Not affected
25.04 plucky
Not affected
24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Needs evaluation
21.10 impish Ignored end of life
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial Ignored end of standard support, was needs-triage
14.04 LTS trusty Ignored end of standard support, was needs-triage

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
ldap-account-manager

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.5 · Medium

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N


Access our resources on patching vulnerabilities