NGINX Zero-day Bug Affecting LDAP Implementation (12th April 2022)

Ref# AL2022_23 | Date: Apr 12th 2022


The public disclosure of a new zero-day vulnerability in the Nginx web server affecting the LDAP-auth reference implementation, which allows remote code execution on a susceptible system, has been made. The new flaw affects NGINX 18.1. 


Although LDAP does not interact much with NGINX, a ldap-auth daemon is used alongside NGINX, allowing this to be used. It”s mostly used to get into private Github, Bitbucket, Jekins, and Gitlab instances. The module linked to the LDAP-auth daemon within nginx is severely impacted till more investigation is carried out. Anything that uses LDAP optional logins works as well. This applies to Atlassian accounts as well. 

How it works 

NGINX has confirmed that the reference implementation, which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve – 

  • Command-line parameters to configure the Python-based reference implementation daemon 

  • Unused, optional configuration parameters, and 

  • Specific group membership to carry out LDAP authentication 

If any of these conditions are met an attacker could potentially override configuration parameters by sending specially crafted HTTP request headers and even bypass group membership requirements to force LDAP authentication to succeed even if the falsely authenticated user does not belong to the group. 


Users should verify that special characters are stripped from the username field in the login form provided during authentication, and change necessary configuration parameters with an empty value, according to the project maintainers (“”). 

The maintainers also noted that the LDAP reference implementation is not a production-grade LDAP solution, but rather shows the mechanics of how the connection works and all the components required to validate the integration. 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary. 

PDF Download: NGINX Zero-day Bug.pdf