CVE-2021-41232

HIGH

Thunderdome <1.16.3 - Command Injection

Title source: llm

Description

Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.

References (3)

[Third Party Advisory] https://github.com/StevenWeathers/thunderdome-planning-poker/security/advisories/GHSA-26cm-qrc6-mfgj

[Issue Tracking, Third Party Advisory] https://github.com/github/securitylab/issues/464#issuecomment-957094994

[Patch] https://github.com/StevenWeathers/thunderdome-planning-poker/commit/f1524d01e8a0f2d6c3db5461c742456c692dd8c1

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0049

EPSS Percentile 65.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

Details

CWE

CWE-90 CWE-74 CWE-116

Status published

Products (2)

stevenweathers/thunderdome-planning-poker 0 - 1.16.3Go

thunderdome/planning_poker < 1.16.3

Published Nov 02, 2021

Tracked Since Feb 18, 2026