Add CVE-2021-32651 for GHSA-5864-2496-4xjf

2025-07-30 18:04:30 +00:00 · 2021-06-01 13:12:52 -04:00 · 2021-06-01 13:12:52 -04:00 · 0adc41cb0a
commit 0adc41cb0a
parent 8a25440315
1 changed files with 76 additions and 6 deletions
--- a/2021/32xxx/CVE-2021-32651.json
+++ b/2021/32xxx/CVE-2021-32651.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32651",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "LDAP injection via OneDev may leak some LDAP directory information "
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "onedev",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "<= 4.4.1"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "theonedev"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 3.1,
+            "baseSeverity": "LOW",
+            "confidentialityImpact": "LOW",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "LOW",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"
+            },
+            {
+                "name": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c",
+                "refsource": "MISC",
+                "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-5864-2496-4xjf",
+        "discovery": "UNKNOWN"
    }
 }