SCA: security update for python-ldap (GHSA-r7r6-cc7p-4v5m)

medium Tenable Self-Hosted Container Security Plugin ID 435578

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to
3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of
special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the
non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3
different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a
`list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes
without performing adequate logic to ensure a fully escaped return value. If an application relies on the
vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able
to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate
ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the
start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied
`assertion_value` parameter is not of type `str`. (CVE-2025-61911)

See Also

https://github.com/advisories/GHSA-r7r6-cc7p-4v5m

Plugin Details

Severity: Medium

ID: 435578

Version: Revision 1.15

Type: Local

Family: SCA Checks

Published: 10/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.43

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-61911

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/10/2025

Vulnerability Publication Date: 10/10/2025

Reference Information

CVE: CVE-2025-61911