CWE WEAKNESSES / CWE-90
CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Base
What it is
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Impact
| Confidentiality, Integrity, Availability | Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data |
Mitigations
- [Implementation]Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.When performing input validation, consider all potentially relevant properties, including length, type of input, the full r
Real-world CVE examples
- CVE-2021-41232 — Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
- CVE-2005-2301 — Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →