CVE-2019-15941Incorrect Authorization in Lemonldap-ng

CWE-863Incorrect Authorization5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 39.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Debian Lemonldap-ngLemonldap-ng LemonldapDebian Linux
Timeline
PublishedSep 25
Latest updateMay 24

Description

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

debiandebian/lemonldap-ng< lemonldap-ng 2.0.6+ds-1 (bookworm)
NVDlemonldap-ng/lemonldap2.0.02.0.5

Also affects: Debian Linux 10.0

🔴Vulnerability Details

2
GHSA
GHSA-jq88-5p5w-x8c3: OpenID Connect Issuer in LemonLDAP::NG 22022-05-24
OSV
CVE-2019-15941: OpenID Connect Issuer in LemonLDAP::NG 22019-09-25

📋Vendor Advisories

1
Debian
CVE-2019-15941: lemonldap-ng - OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker t...2019

💬Community

1
Bugzilla
CVE-2019-17543 lz4: heap-based buffer overflow in LZ4_write322019-10-24