MidnightBSD

Advisories for lemonldap-ng

CVE-2012-6426 HIGH

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap:: 0.8
lemonldap-ng lemonldap:: 1.0.2
lemonldap-ng lemonldap::ng 1.0.6
lemonldap-ng lemonldap:: 0.8.1
lemonldap-ng lemonldap:: 1.2.1
lemonldap-ng lemonldap::ng 1.0.4
lemonldap-ng lemonldap:: 1.1.1
lemonldap-ng lemonldap:: 1.2.0
lemonldap-ng lemonldap:: 0.9.3
lemonldap-ng lemonldap::ng 0.8.2
lemonldap-ng lemonldap:: 0.9.4
lemonldap-ng lemonldap:: 1.1.0
lemonldap-ng lemonldap:: 0.8.2
lemonldap-ng lemonldap:: 0.8.3
lemonldap-ng lemonldap::ng 1.0.3
lemonldap-ng lemonldap::ng 0.9.4
lemonldap-ng lemonldap::ng *
lemonldap-ng lemonldap::ng 1.0.1
lemonldap-ng lemonldap::ng 1.1.2
lemonldap-ng lemonldap::ng 1.2.1
lemonldap-ng lemonldap::ng 0.8.1
lemonldap-ng lemonldap::ng 0.8.3
lemonldap-ng lemonldap::ng 1.0.5
lemonldap-ng lemonldap:: 0.9.1
lemonldap-ng lemonldap:: 1.0.6
lemonldap-ng lemonldap:: 1.0.4
lemonldap-ng lemonldap::ng 0.9.1
lemonldap-ng lemonldap:: 1.0.5
lemonldap-ng lemonldap::ng 1.1.1
lemonldap-ng lemonldap::ng 0.9.2
lemonldap-ng lemonldap:: *
lemonldap-ng lemonldap:: 0.7
lemonldap-ng lemonldap:: 1.0
lemonldap-ng lemonldap::ng 1.2.0
lemonldap-ng lemonldap:: 0.9.2
lemonldap-ng lemonldap:: 1.1.2
lemonldap-ng lemonldap::ng 1.1.0
lemonldap-ng lemonldap:: 1.0.3
lemonldap-ng lemonldap:: 0.6
lemonldap-ng lemonldap::ng 0.9.3
lemonldap-ng lemonldap:: 0.9
lemonldap-ng lemonldap:: 1.0.1
lemonldap-ng lemonldap::ng 1.0.2
CVE-2019-12046 HIGH

LemonLDAP::NG -2.0.3 has Incorrect Access Control.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng 2.0.3
lemonldap-ng lemonldap:: 2.0.3
debian debian_linux 9.0
CVE-2019-13031 MEDIUM

LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap:: *
debian debian_linux 8.0
CVE-2019-15941 HIGH

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap:: *
lemonldap-ng lemonldap::ng *
debian debian_linux 10.0
CVE-2019-19791

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
CVE-2020-16093

In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
debian debian_linux 10.0
CVE-2020-24660 HIGH

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-425,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
lemonldap-ng lemonldap::ng_handler *
debian debian_linux 10.0
CVE-2020-36658

In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.

Products Affected

Vendor Product Version
lemonldap-ng apache::session::ldap *
debian debian_linux 10.0
CVE-2020-36659

In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.

Products Affected

Vendor Product Version
lemonldap-ng apache::session::browsable *
debian debian_linux 10.0
CVE-2021-35472 MEDIUM

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-307,

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
debian debian_linux 10.0
CVE-2021-40874

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng 2.0.13
debian debian_linux 10.0
CVE-2022-37186

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
CVE-2023-44469

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *
CVE-2024-48933

A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.

Products Affected

Vendor Product Version
lemonldap-ng lemonldap::ng *