Lemonldap Ng
Products by Lemonldap Ng Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Lemonldap Ng . Last year Lemonldap Ng had 6 security vulnerabilities published. Right now, Lemonldap Ng is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 6 | 7.67 |
| 2022 | 2 | 8.65 |
| 2021 | 1 | 8.80 |
| 2020 | 0 | 0.00 |
| 2019 | 3 | 9.23 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Lemonldap Ng vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Lemonldap Ng Security Vulnerabilities
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1
CVE-2023-44469
4.3 - Medium
- September 29, 2023
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
XSPA
In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7
CVE-2019-19791
9.8 - Critical
- May 29, 2023
In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.
In LemonLDAP::NG before 2.0.15
CVE-2022-37186
5.9 - Medium
- April 16, 2023
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.
Insufficient Session Expiration
An issue was discovered in LemonLDAP::NG before 2.16.1
CVE-2023-28862
9.8 - Critical
- March 31, 2023
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
authentification
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends
CVE-2020-36659
8.1 - High
- January 27, 2023
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Improper Certificate Validation
In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends
CVE-2020-36658
8.1 - High
- January 27, 2023
In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Improper Certificate Validation
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13
CVE-2021-40874
9.8 - Critical
- July 18, 2022
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
authentification
In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends
CVE-2020-16093
7.5 - High
- July 18, 2022
In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.
Improper Certificate Validation
An issue was discovered in LemonLDAP::NG before 2.0.12
CVE-2021-35472
8.8 - High
- July 30, 2021
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.
Improper Restriction of Excessive Authentication Attempts
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may
CVE-2019-15941
9.8 - Critical
- September 25, 2019
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
AuthZ
LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server
CVE-2019-13031
8.1 - High
- June 28, 2019
LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
XXE
LemonLDAP::NG -2.0.3 has Incorrect Access Control.
CVE-2019-12046
9.8 - Critical
- May 22, 2019
LemonLDAP::NG -2.0.3 has Incorrect Access Control.
Insufficiently Protected Credentials