CVE-2019-13031 — XML External Entity (XXE) Injection in Lemonldap

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.2%

top 59.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lemonldap-ng Lemonldap Debian Lemonldap-ng Debian Linux

Timeline

PublishedJun 28

Latest updateMay 24

Description

LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.0.0+ds-1 (bookworm)

▶NVDlemonldap-ng/lemonldap< 1.9.20

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-wxgq-mv23-pgqr: LemonLDAP::NG before 1↗2022-05-24

▶

OSV

CVE-2019-13031: LemonLDAP::NG before 1↗2019-06-28

▶

📋Vendor Advisories

Debian

CVE-2019-13031: lemonldap-ng - LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitti...↗2019

▶