Cyber Resilience

CVE-2024-23333

High

Published: 18 March 2024

Published
18 March 2024
Modified
23 December 2025
KEV Added
Patch
CVSS Score v3.1 7.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H
EPSS Score 0.0576 90.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23333 is a high-severity Injection (CWE-74) vulnerability in Ldap-Account-Manager Ldap Account Manager. Its CVSS base score is 7.9 (High).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

LDAP Account Manager (LAM) is a web frontend for managing LDAP directory entries. Prior to version 8.7, its log configuration feature permitted specification of arbitrary file paths. An attacker able to reach the configuration settings could therefore direct LAM to write PHP code into a file placed under a web-accessible directory, resulting in remote code execution when that file was subsequently requested.

Exploitation requires knowledge of LAM’s master configuration password and the existence of a web-server-writable directory reachable over HTTP; LAM itself does not ship any such directory. Successful exploitation yields arbitrary PHP execution on the server with the privileges of the web-server process.

The vulnerability was corrected in release 8.7. The project advisory recommends restricting access to LAM’s configuration pages to authorized administrators as a workaround and notes that the two prerequisite conditions significantly limit practical attack surface.

The associated EPSS score has remained flat at 0.0576 since disclosure, indicating no observable increase in exploitation interest.

EU & UK References

Vulnerability details

LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file…

more

and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be executed. The issue is mitigated by the following: An attacker needs to know LAM's master configuration password to be able to change the main settings; and the webserver needs write access to a directory that is accessible via web. LAM itself does not provide any such directories. The issue has been fixed in 8.7. As a workaround, limit access to LAM configuration pages to authorized users.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ldap-account-manager
ldap account manager
≤ 8.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References