Yandex Database
Monthly
LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.
LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.