LDAP Injection

[QiAnXinCodeSafe]

jira-ldap-group-sync-plugin/src/main/java/com/adsk/jira/ldapgroupsync/plugin/api/LDAPGroupSyncUtilImpl.java

Lines 179 to 186 in 310fcf4

	String searchGroupFilter = MessageFormat.format(GroupMemberSearchFilter, sr.getNameInNamespace());
	NamingEnumeration groupAnswer = ctx.search(baseDn, searchGroupFilter, getGroupSearchControls());
	while (groupAnswer.hasMoreElements()) {
	SearchResult gsr = (SearchResult) groupAnswer.next();
	logger.debug("*** processing nested group *** "+ gsr.getName());
	getLdapGroupMembers(ctx, gsr, users);

Constructing a dynamic LDAP filter with user input could allow an attacker to modify the statement's meaning.