CVE DATABASE / CVE-2021-41232
CVE-2021-41232
CVSS 8.1 · HIGH
Summary
Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.
CVSS 3.1 breakdown
| Base score | 8.1 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L |
| Attack vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | CHANGED |
| Confidentiality | HIGH |
| Integrity | LOW |
| Availability | LOW |
Weakness type (CWE)
Affected products
Thunderdome planning poker
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://github.com/StevenWeathers/thunderdome-planning-poker/commit/f1524d01e8a0f2d6c3db5461c742456c692dd8c1
- https://github.com/StevenWeathers/thunderdome-planning-poker/security/advisories/GHSA-26cm-qrc6-mfgj
- https://github.com/github/securitylab/issues/464#issuecomment-957094994
Data: NIST NVD. NVD last modified 2024-11-21. Always verify against the vendor advisory before acting.