CVE-2024-45160 — Incorrect Authorization in Lemonldap-ng

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 69.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Lemonldap-ng

Timeline

PublishedOct 9

Description

Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.19.2+ds-1 (forky)

🔴Vulnerability Details

GHSA

GHSA-gf98-qc2v-6xvh: Incorrect credential validation in LemonLDAP::NG 2↗2024-10-09

▶

OSV

CVE-2024-45160: Incorrect credential validation in LemonLDAP::NG 2↗2024-10-09

▶

📋Vendor Advisories

Debian

CVE-2024-45160: lemonldap-ng - Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2...↗2024

▶