1) Fixed LDAP authentication flow vulnerable to TLS certificate verification bypass (CVE-2025-12765). #9324

2) Fixed LDAP injection vulnerability in LDAP authentication flow (CVE-2025-12764). #9325
2025-11-10 11:26:04 +05:30 · 2025-11-10 11:26:04 +05:30 · 09d2b7eeb0
parent e374edc692
commit 09d2b7eeb0
4 changed files with 15 additions and 7 deletions
--- a/docs/en_US/ldap.rst
+++ b/docs/en_US/ldap.rst
@ -87,6 +87,8 @@ There are 3 ways to configure LDAP:
   "LDAP_KEY_FILE","Specifies the path to the server private key file. This parameter
   is applicable only if you are using *ldaps* as connection protocol or you have
   set *LDAP_USE_STARTTLS* parameter to *True*."
+   "LDAP_CERT_VALIDATE", "Set this parameter to *False* if you want to bypass
+   the TLS certificate validation. By default it is set to True."
   "LDAP_IGNORE_MALFORMED_SCHEMA", "Some flaky LDAP servers returns malformed schema.
   If this parameter set to *True*, no exception will be raised and schema is thrown away
   but authentication will be done. This parameter should remain False, as recommended."
--- a/docs/en_US/release_notes_9_10.rst
+++ b/docs/en_US/release_notes_9_10.rst
@ -42,4 +42,6 @@ Bug fixes
  | `Issue #9281 <https://github.com/pgadmin-org/pgadmin4/issues/9281>`_ -  Fixed an issue where the last used storage directory was reset to blank, leading to access denied errors during backup or restore operations.
  | `Issue #9304 <https://github.com/pgadmin-org/pgadmin4/issues/9304>`_ -  Fixed an issue that prevented assigning multiple users to an RLS policy.
  | `Issue #9320 <https://github.com/pgadmin-org/pgadmin4/issues/9320>`_ -  Fixed remote code execution vulnerability when restoring PLAIN-format SQL dumps in server mode (CVE-2025-12762).
-  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).
+  | `Issue #9323 <https://github.com/pgadmin-org/pgadmin4/issues/9323>`_ -  Fixed Command injection vulnerability allowing arbitrary command execution on Windows (CVE-2025-12763).
+  | `Issue #9324 <https://github.com/pgadmin-org/pgadmin4/issues/9324>`_ -  Fixed LDAP authentication flow vulnerable to TLS certificate verification bypass (CVE-2025-12765).
+  | `Issue #9325 <https://github.com/pgadmin-org/pgadmin4/issues/9325>`_ -  Fixed LDAP injection vulnerability in LDAP authentication flow (CVE-2025-12764).
--- a/web/config.py
+++ b/web/config.py
@ -754,6 +754,9 @@ LDAP_CA_CERT_FILE = ''
 LDAP_CERT_FILE = ''
 LDAP_KEY_FILE = ''

+# TLS/SSL certificate Validation (True/False),
+# Make it false if certificate validation is not required.
+LDAP_CERT_VALIDATE = True
 ##########################################################################

 # Some flaky LDAP servers returns malformed schema. If True, no exception
--- a/web/pgadmin/authenticate/ldap.py
+++ b/web/pgadmin/authenticate/ldap.py
@ -16,6 +16,7 @@ from ldap3 import Connection, Server, Tls, ALL, ALL_ATTRIBUTES, ANONYMOUS,\
 from ldap3.core.exceptions import LDAPSocketOpenError, LDAPBindError,\
    LDAPInvalidScopeError, LDAPAttributeError, LDAPInvalidFilterError,\
    LDAPStartTLSError, LDAPSSLConfigurationError
+from ldap3.utils.conv import escape_filter_chars
 from flask_babel import gettext
 from urllib.parse import urlparse

@ -212,10 +213,8 @@ class LDAPAuthentication(BaseAuthentication):
        ca_cert_file = getattr(config, 'LDAP_CA_CERT_FILE', None)
        cert_file = getattr(config, 'LDAP_CERT_FILE', None)
        key_file = getattr(config, 'LDAP_KEY_FILE', None)
-        cert_validate = ssl.CERT_NONE
-
-        if ca_cert_file and cert_file and key_file:
-            cert_validate = ssl.CERT_REQUIRED
+        cert_required = getattr(config, 'LDAP_CERT_VALIDATE', True)
+        cert_validate = ssl.CERT_REQUIRED if cert_required else ssl.CERT_NONE

        try:
            tls = Tls(
@ -278,8 +277,10 @@ class LDAPAuthentication(BaseAuthentication):
            elif not search_base_dn or search_base_dn == '<Search-Base-DN>':
                search_base_dn = config.LDAP_BASE_DN

-            search_filter = "({0}={1})".format(config.LDAP_USERNAME_ATTRIBUTE,
-                                               self.username)
+            search_filter = "({0}={1})".format(
+                config.LDAP_USERNAME_ATTRIBUTE,
+                escape_filter_chars(self.username)
+            )
            if config.LDAP_SEARCH_FILTER:
                search_filter = "(&{0}{1})".format(search_filter,
                                                   config.LDAP_SEARCH_FILTER)