Improper Authentication Affecting lemonldap-ng package, versions <2.16.1+ds-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-LEMONLDAPNG-5296008
- published 30 Mar 2023
- disclosed 31 Mar 2023
Introduced: 30 Mar 2023
CVE-2023-28862 Open this link in a new tabHow to fix?
Upgrade Debian:unstable
lemonldap-ng
to version 2.16.1+ds-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream lemonldap-ng
package and not the lemonldap-ng
package as distributed by Debian
.
See How to fix?
for Debian:unstable
relevant fixed versions and status.
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.