Description
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
Third Party Advisory x_refsource_confirm
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6m3q-5c84-6h6j
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5177
Scores
CVSS v3
6.1
EPSS
0.0022
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-522
CWE-311
Status
published
Products (2)
debian/debian_linux
11.0
ldap-account-manager/ldap_account_manager
< 8.0
Published
Jun 27, 2022
Tracked Since
Feb 18, 2026