Vulnerabilities > CVE-2022-37186 - Insufficient Session Expiration vulnerability in Lemonldap-Ng Lemonldap::Ng

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

lemonldap-ng

CWE-613

NVD

Published: 2023-04-16

Updated: 2023-04-26

Summary

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

Vulnerable Configurations

Part	Description	Count
Application	Lemonldap-Ng Lemonldap NG Lemonldap \	81

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b393947663ad3bf26bad0581413dd6fae4
https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.0.15