CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44469
https://notcve.org/view.php?id=CVE-2023-44469
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770. Un problema de Server-Side Request Forgery (SSRF) en OpenID Connect Issuer en LemonLDAP::NG anterior a 2.17.1 permite a atacantes remotos autenticados enviar solicitudes GET a URL arbitrarias a través del parámetro de autorización request_uri. Esto es similar a CVE-2020-10770. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1 https://lists.debian.org/debian-lts-announce/2023/10/msg00014.html https://security.lauritz-holtmann.de/post/sso-security-ssrf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19791
https://notcve.org/view.php?id=CVE-2019-19791
In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-37186
https://notcve.org/view.php?id=CVE-2022-37186
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15 https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28862
https://notcve.org/view.php?id=CVE-2023-28862
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1 https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-36659
https://notcve.org/view.php?id=CVE-2020-36659
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix. En Apache::Session::Browseable anterior a 1.3.6, la validez del certificado X.509 no se verifica de forma predeterminada cuando se conecta a backends LDAP remotos, porque se usa la configuración predeterminada del módulo Net::LDAPS para Perl. NOTA: esto se puede solucionar, por ejemplo, junto con la corrección CVE-2020-16093. • https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html • CWE-295: Improper Certificate Validation •