Server-Side Request Forgery (SSRF) Affecting lemonldap-ng package, versions <2.16.1+ds-deb12u2
Threat Intelligence
EPSS
0.1% (43rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN12-LEMONLDAPNG-5926158
- published 30 Sep 2023
- disclosed 29 Sep 2023
Introduced: 29 Sep 2023
CVE-2023-44469 Open this link in a new tabHow to fix?
Upgrade Debian:12 lemonldap-ng to version 2.16.1+ds-deb12u2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream lemonldap-ng package and not the lemonldap-ng package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
References
- https://security-tracker.debian.org/tracker/CVE-2023-44469
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1
- https://security.lauritz-holtmann.de/post/sso-security-ssrf/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00014.html
CVSS Scores
version 3.1