CVE-2023-28862
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
31/03/2023
Last modified:
14/02/2025
Description
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:lemonldap-ng:lemonldap\:\:ng:*:*:*:*:*:*:*:* | 2.16.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html