GHSA-2VG8-Q4C2-5CW3

Vulnerability from github – Published: 2026-06-22 19:59 – Updated: 2026-06-22 19:59
VLAI
Summary
OpenAM has LDAP Injection via `_queryId` Parameter
Details

OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under /json/{realm}/users. In IdentityResourceV1.queryCollection(), the HTTP query parameter _queryId is passed to a CrestQuery object with escapeQueryId explicitly set to false, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to DJLDAPv3Repo.getFilter() where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.

Affected Endpoint

Endpoint Auth Required Injection Parameter
GET /openam/json/{realm}/users?_queryId=<INJECTION> SSO Token _queryId
GET /openam/json/{realm}/groups?_queryId=<INJECTION> SSO Token (TBD) _queryId

Background: CVE-2021-29156

CVE-2021-29156 was a pre-authentication LDAP injection in OpenAM's Webfinger endpoint, where user-supplied input reached DJLDAPv3Repo.getFilter() unescaped. The fix introduced the escapeQueryId flag in CrestQuery (defaulting to true) and added Filter.escapeAssertionValue() in the filter-building path:

Credit

Discovered by JD-Security SHENYI Team

Severity
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 16.0.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.openidentityplatform.openam:openam-core-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T19:59:33Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under `/json/{realm}/users`. In `IdentityResourceV1.queryCollection()`, the HTTP query parameter `_queryId` is passed to a `CrestQuery` object with `escapeQueryId` **explicitly set to `false`**, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to `DJLDAPv3Repo.getFilter()` where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.\n\n\n## Affected Endpoint\n\n| Endpoint | Auth Required | Injection Parameter |\n|----------|--------------|---------------------|\n| `GET /openam/json/{realm}/users?_queryId=\u003cINJECTION\u003e` | SSO Token | `_queryId` |\n| `GET /openam/json/{realm}/groups?_queryId=\u003cINJECTION\u003e` | SSO Token (TBD) | `_queryId` |\n\n## Background: CVE-2021-29156\n\nCVE-2021-29156 was a pre-authentication LDAP injection in OpenAM\u0027s Webfinger endpoint, where user-supplied input reached `DJLDAPv3Repo.getFilter()` unescaped. The fix introduced the `escapeQueryId` flag in `CrestQuery` (defaulting to `true`) and added `Filter.escapeAssertionValue()` in the filter-building path:\n\n## Credit\n\nDiscovered by **JD-Security SHENYI Team**",
  "id": "GHSA-2vg8-q4c2-5cw3",
  "modified": "2026-06-22T19:59:33Z",
  "published": "2026-06-22T19:59:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2vg8-q4c2-5cw3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-8984-9gww-h52x"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenAM has LDAP Injection via `_queryId` Parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.