CVE-2022-29155: 
NixOS vulnerability analysis and mitigation

CVE-2022-29155 affects OpenLDAP versions 2.x before 2.5.12 and 2.6.x before 2.6.2. The vulnerability is a SQL injection flaw that exists in the experimental back-sql backend to slapd, which can be exploited via a SQL statement within an LDAP query. This vulnerability was discovered by Jacek Konieczny and was disclosed in March 2022 (Debian Security, OpenLDAP Bug).

The vulnerability occurs during LDAP search operations when the search filter is processed, due to a lack of proper escaping of SQL statements. The issue specifically affects the experimental back-sql backend component of slapd, allowing malicious SQL statements to be injected through LDAP queries. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information, addition or modification of database content, or Denial of Service (DoS). An attacker can manipulate the database during LDAP search operations by using specially crafted search filters (NetApp Security).

The vulnerability has been fixed in OpenLDAP versions 2.5.12 and 2.6.2 and later. Various distributions have released security updates: Debian 11 (bullseye) fixed in version 2.4.57+dfsg-3+deb11u1, Debian 10 (buster) fixed in version 2.4.47+dfsg-3+deb10u7, and Ubuntu has released fixes for multiple versions (Debian Security, Ubuntu Security).