Lemonldap-ng : Security Vulnerabilities, CVEs, (Bypass)
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
Max CVSS
9.8
EPSS Score
0.07%
Published
2023-03-31
Updated
2023-07-14
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
Max CVSS
9.8
EPSS Score
0.27%
Published
2022-07-18
Updated
2022-07-25
2 vulnerabilities found