CVE-2012-6426 — Lemonldap-ng vulnerability

CWE-2645 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 51.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Lemonldap-ng Lemonldap-ng Lemonldap

Timeline

PublishedJan 1

Latest updateMay 17

Description

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 1.2.2-3 (bookworm)

▶NVDlemonldap-ng/lemonldap1.2.2+1

Patches

Patch: jira.ow2.org ↗Patch: jira.ow2.org ↗

🔴Vulnerability Details

GHSA

GHSA-9q8m-r734-6gg5: LemonLDAP::NG before 1↗2022-05-17

▶

OSV

CVE-2012-6426: LemonLDAP::NG before 1↗2013-01-01

▶

📋Vendor Advisories

Debian

CVE-2012-6426: lemonldap-ng - LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of...↗2012

▶

📄Research Papers

arXiv

XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany↗2021-06-19

▶