CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-16093
https://notcve.org/view.php?id=CVE-2020-16093
In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. En LemonLDAP::NG (también se conoce como lemonldap-ng) versiones hasta 2.0.8, la validez del certificado X.509 no es comprobada por defecto cuando es conectado a backends LDAP remotos, porque es usada la configuración por defecto del módulo Net::LDAPS para Perl • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250 https://lemonldap-ng.org/download https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2021-35472
https://notcve.org/view.php?id=CVE-2021-35472
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users. Se ha detectado un problema en LemonLDAP::NG versiones anteriores a 2.0.12. La corrupción de la caché de la sesión puede conllevar a una omisión de la autorización o una suplantación de identidad. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/8d3b763b6af2b8a9c4ad2765fbfabffec8a73af5 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags https://www.debian.org/security/2021/dsa-4943 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 1CVE-2020-24660
https://notcve.org/view.php?id=CVE-2020-24660
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package. Se detectó un problema en LemonLDAP::NG versiones hasta 2.0.8, cuando NGINX es usado. Un atacante puede omitir el control de acceso basado en URL a los Host Virtuales protegidos mediante el envío de un URI no normalizado. • https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2 https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 https://www.debian.org/security/2020/dsa-4762 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-15941
https://notcve.org/view.php?id=CVE-2019-15941
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. OpenID Connect Issuer en LemonLDAP::NG versiones 2.x hasta 2.0.5, puede permitir a un atacante omitir las reglas del control de acceso por medio de una petición de autorización diseñada de OpenID Connect. Para ser vulnerable, debe existir una parte de Retransmisión de OIDC dentro de la configuración de LemonLDAP con reglas de control de acceso más débiles que el RP destino y sin filtrado en los URI de redireccionamiento. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881 https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out https://seclists.org/bugtraq/2019/Sep/46 https://www.debian.org/security/2019/dsa-4533 • CWE-863: Incorrect Authorization •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-13031
https://notcve.org/view.php?id=CVE-2019-13031
LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. LemonLDAP::NG anterior a versión 1.9.20 presenta un problema de tipo XML External Entity (XXE) cuando se envía una notificación al servidor de notificaciones. Por defecto, el servidor de notificaciones no está habilitado y tiene una regla de "deny all". • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1820 https://lists.debian.org/debian-lts-announce/2019/07/msg00003.html https://www.calypt.com/blog/index.php/cve-2019-13031-xxe-on-lemonldapng-2-0-5 • CWE-611: Improper Restriction of XML External Entity Reference •