CVE-2026-42568

Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13.0 and 5.12.7 patch the issue.

Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13.0 and 5.12.7 patch the issue.

### Summary An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. ### Root Cause **File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233` The `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping: ```java // VULNERABLE var filter = userFilter.replace("{0}", username); var searchResult = getSingleResult(ctx, userBase, filter, controls); ``` LDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization. ### Impact With a known valid password, `username=*` authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password. This affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file. ### Proof of Concept ```bash curl -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=*&password=known_password" # Returns token for first matching LDAP user ``` ### Fix Apply RFC 4515 escaping before filter construction: ```java private static String escapeLdapFilter(String input) { return input .replace("\\", "\\5c") .replace("*", "\\2a") .replace("(", "\\28") .replace(")", "\\29") .replace("\0", "\\00"); } var filter = userFilter.replace("{0}", escapeLdapFilter(username)); ```

### Summary An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. ### Root Cause **File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233` The `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping: ```java // VULNERABLE var filter = userFilter.replace("{0}", username); var searchResult = getSingleResult(ctx, userBase, filter, controls); ``` LDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization. ### Impact With a known valid password, `username=*` authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password. This affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file. ### Proof of Concept ```bash curl -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=*&password=known_password" # Returns token for first matching LDAP user ``` ### Fix Apply RFC 4515 escaping before filter construction: ```java private static String escapeLdapFilter(String input) { return input .replace("\\", "\\5c") .replace("*", "\\2a") .replace("(", "\\28") .replace(")", "\\29") .replace("\0", "\\00"); } var filter = userFilter.replace("{0}", escapeLdapFilter(username)); ```