CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44469
https://notcve.org/view.php?id=CVE-2023-44469
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770. Un problema de Server-Side Request Forgery (SSRF) en OpenID Connect Issuer en LemonLDAP::NG anterior a 2.17.1 permite a atacantes remotos autenticados enviar solicitudes GET a URL arbitrarias a través del parámetro de autorización request_uri. Esto es similar a CVE-2020-10770. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1 https://lists.debian.org/debian-lts-announce/2023/10/msg00014.html https://security.lauritz-holtmann.de/post/sso-security-ssrf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19791
https://notcve.org/view.php?id=CVE-2019-19791
In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-37186
https://notcve.org/view.php?id=CVE-2022-37186
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15 https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28862
https://notcve.org/view.php?id=CVE-2023-28862
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896 https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1 https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-40874
https://notcve.org/view.php?id=CVE-2021-40874
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user. Se ha detectado un problema en LemonLDAP::NG (también se conoce como lemonldap-ng) versión 2.0.13. Cuando es usado el complemento RESTServer para operar un servicio de comprobación de contraseñas REST (para otra instancia de LemonLDAP::NG, por ejemplo) y es usado el método de autenticación Kerberos combinado con otro método con el complemento de autenticación combinada, cualquier contraseña será reconocida como válida para un usuario existente • https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612 • CWE-287: Improper Authentication •