CVE-2019-19791 — Lemonldap vulnerability

4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.0%

top 88.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lemonldap-ng Lemonldap Debian Lemonldap-ng

Timeline

PublishedMay 29

Description

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.0.7+ds-1 (bookworm)

▶NVDlemonldap-ng/lemonldap< 2.0.7

🔴Vulnerability Details

OSV

CVE-2019-19791: In LemonLDAP::NG (aka lemonldap-ng) before 2↗2023-05-29

▶

GHSA

GHSA-c639-6g37-r8wm: In LemonLDAP::NG (aka lemonldap-ng) before 2↗2023-05-29

▶

📋Vendor Advisories

Debian

CVE-2019-19791: lemonldap-ng - In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server...↗2019

▶