Vulnerabilities > CVE-2019-15941 - Incorrect Authorization vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
lemonldap-ng
debian
CWE-863
nessus

Summary

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.

Vulnerable Configurations

Part Description Count
Application
Lemonldap-Ng
6
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-4533.NASL
descriptionIt was discovered that the Lemonldap::NG web SSO system did not restrict OIDC authorization codes to the relying party.
last seen2020-06-01
modified2020-06-02
plugin id129365
published2019-09-26
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/129365
titleDebian DSA-4533-1 : lemonldap-ng - security update