CVE-2022-45910 is a medium-severity LDAP Injection vulnerability (CWE-90) found in the Apache Software Foundation's Apache ManifoldCF product, specifically affecting the ActiveDirectory and Sharepoint ActiveDirectory authority connectors. Apache ManifoldCF is an open-source framework used for connecting source content repositories with target repositories or indexes, often deployed in enterprise environments for content crawling and indexing. The vulnerability arises due to improper neutralization of special characters in LDAP queries constructed during user lookup operations. Specifically, when the username or domain strings are passed to the UserACLs servlet without adequate validation or sanitization, an attacker can inject malicious LDAP query elements. This injection can manipulate the LDAP search filters, potentially allowing an attacker to alter the logic of LDAP queries. The consequences include the ability to perform unauthorized additional LDAP queries, manipulate filters to bypass intended access controls, or cause denial-of-service (DoS) conditions by crafting queries that overload or disrupt the LDAP service. The vulnerability affects Apache ManifoldCF versions 2.23 and earlier. The CVSS v3.1 base score is 5.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No known exploits have been reported in the wild to date. The root cause is the failure to properly sanitize user-supplied input before embedding it into LDAP queries, a classic injection flaw that can lead to unauthorized query manipulation. This vulnerability is particularly relevant in environments where Apache ManifoldCF integrates with Active Directory or Sharepoint ActiveDirectory for user authentication and authorization, as it can undermine the integrity of access control decisions based on LDAP queries.

For European organizations, the impact of CVE-2022-45910 can be significant in sectors relying on Apache ManifoldCF for content management and indexing, especially those integrating with Active Directory or Sharepoint ActiveDirectory for user access control. Successful exploitation could allow attackers to manipulate LDAP queries to bypass access controls, potentially granting unauthorized access to sensitive content or user information. Although confidentiality impact is rated as none in CVSS, the integrity impact is low but meaningful, as attackers can alter query filters to retrieve or deny access to certain data improperly. Additionally, the ability to cause denial-of-service conditions on LDAP services can disrupt business operations dependent on directory services for authentication and authorization. Given the widespread use of Active Directory in European enterprises and public sector organizations, this vulnerability could affect critical infrastructure, government agencies, and large enterprises managing sensitive data. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing risk. However, the absence of known exploits in the wild and the medium severity rating suggest that while impactful, the threat is currently moderate but should not be underestimated, especially in high-security environments.

Apply the latest patches or updates from the Apache Software Foundation as soon as they become available for Apache ManifoldCF, specifically versions beyond 2.23 where this vulnerability is fixed. Implement strict input validation and sanitization on all user-supplied inputs that are used in LDAP queries, particularly the username and domain parameters passed to the UserACLs servlet. Employ allowlists for acceptable characters and escape special LDAP characters properly. Deploy Web Application Firewalls (WAFs) with rules designed to detect and block LDAP injection patterns targeting the UserACLs servlet endpoints. Monitor LDAP query logs and application logs for unusual or malformed LDAP queries that may indicate attempted exploitation. Restrict network access to the UserACLs servlet and LDAP services to trusted internal networks and authenticated users where possible, reducing exposure to unauthenticated remote attackers. Conduct regular security assessments and code reviews focusing on input handling in LDAP-related components of Apache ManifoldCF integrations. Educate development and operations teams about LDAP injection risks and secure coding practices to prevent similar vulnerabilities in custom connectors or extensions.