CVE-2022-37186 — Insufficient Session Expiration in Lemonldap

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.5%

top 34.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lemonldap-ng Lemonldap Debian Lemonldap-ng

Timeline

PublishedApr 16

Description

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.0.15+ds-1 (bookworm)

▶NVDlemonldap-ng/lemonldap< 2.0.15

Patches

Patch: gitlab.ow2.org ↗Patch: gitlab.ow2.org ↗Patch: gitlab.ow2.org ↗

🔴Vulnerability Details

GHSA

GHSA-x33x-q828-vc8w: In LemonLDAP::NG before 2↗2023-04-16

▶

OSV

CVE-2022-37186: In LemonLDAP::NG before 2↗2023-04-16

▶

📋Vendor Advisories

Debian

CVE-2022-37186: lemonldap-ng - In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supp...↗2022

▶