Advisory Report for M-Link Incorrect Access Control Vulnerability

Summary	Denial of Service due to application crash
Release Date	21st December 2022
Product	M-Vault
Version(s)	16.0v0 to 17.0v23
CVE ID	CVE-2022-47581

Summary of vulnerability

This advisory discloses a critical vulnerability introduced in version R16.0v0 of M-Vault. The following versions are affected by this vulnerability:

M-Vault R16.0v0 to R17.0v23.

This is a bug where an LDAPv1 bind request leads to a server crash, thereby leading to denial of service.

Severity

Isode rates the severity level of this vulnerability as high, according to the CVSS system (details can be found at www.first.org).

Mitigation

This vulnerability has been fixed in M-Vault R17.0v24 and affected services are advised to immediately upgrade to this version. Current later versions (such as the subsequent major release R18.0) are not affected by this vulnerability.

Acknowledgements

This vulnerability was discovered, with thanks from Isode, by Jerome Nokin of the NATO Cyber Security Centre (NCSC).

Advisory ReportM-Vault Denial of Service VulnerabilityWednesday 21st December 2022

Summary of vulnerability

Severity

Mitigation

Acknowledgements