CVE-2021-35473 — Insufficient Session Expiration in Lemonldap-ng

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.2%

top 64.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Lemonldap-ng

Timeline

PublishedNov 10

Latest updateNov 11

Description

An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.0.11+ds-4 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-m833-cpj5-q368: An issue was discovered in LemonLDAP::NG before 2↗2024-11-11

▶

OSV

CVE-2021-35473: An issue was discovered in LemonLDAP::NG before 2↗2024-11-10

▶

📋Vendor Advisories

Debian

CVE-2021-35473: lemonldap-ng - An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expir...↗2021

▶