This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/ldap-entry-poisoning

Language: Java

Severity: Info

Category: Security

Description

JNDI API support the binding of serialize object in LDAP directories and can lead to remove code execution. Generally, object deserialization should be consider a risky operation that can lead to remote code execution. This exploitation has been demonstrated at Black Hat USA 2016.

Learn More

Non-Compliant Code Examples

class NotCompliant {
    public void myMethod() {
        DirContext ctx = new InitialDirContext();

        ctx.search(query, filter,
                new SearchControls(scope, countLimit, timeLimit, attributes,
                    true,
                    deref));
    }
}

Compliant Code Examples

class Compliant {
    public void myMethod() {
        DirContext ctx = new InitialDirContext();

        ctx.search(query, filter,
                new SearchControls(scope, countLimit, timeLimit, attributes,
                    false,
                    deref));
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis