CVE-2021-41232: 
vulnerability analysis and mitigation

Thunderdome, an open source agile planning poker tool, contained an LDAP injection vulnerability (CVE-2021-41232) discovered and disclosed on November 2, 2021. The vulnerability affected versions prior to 1.16.3 and specifically impacted instances with LDAP authentication enabled (GitHub Advisory).

The vulnerability stemmed from improper neutralization of special elements used in LDAP queries. Specifically, the authentication routine in the Go-based application failed to properly escape usernames before using them in LDAP queries. The vulnerability was assigned a CVSS v3.1 score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L. The issue was classified under CWE-90 (LDAP Injection) and CWE-116 (Improper Encoding or Escaping of Output) (GitHub Advisory).

The vulnerability could allow attackers to perform LDAP injection attacks, potentially leading to unauthorized access to sensitive information, modification of directory service data, or system disruption. The CVSS scoring indicates high impact on confidentiality and low impact on integrity and availability (GitHub Advisory).

The vulnerability was patched in version 1.16.3 by implementing proper LDAP filter escaping using ldap.EscapeFilter() function. As a temporary workaround, users were advised to disable the LDAP authentication feature if in use (GitHub Commit).