Description
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://community.pega.com/upgrade
Third Party Advisory x_refsource_misc
https://gist.github.com/IAG0110/0205823570ba04ec12e656f7f4602877
Scores
CVSS v3
9.8
EPSS
0.0188
EPSS Percentile
76.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
pega/platform
< 8.2.1
Published
Aug 13, 2020
Tracked Since
Feb 18, 2026