CVE-2024-45160

Oct. 10, 2024, 12:51 p.m.

9.1
Critical

Description

Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).

Product(s) Impacted

Product Versions
LemonLDAP::NG
  • 2.18.x
  • 2.19.x before 2.19.2

Weaknesses

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/06d771cbc2d5c752354c50f83e4912e5879f9aa2
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/236cdfe42c1dc04a15a4a40c5e6a8c2e858d71d7
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/696f49a0855faeb271096dccb8381e2129687c3d
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3223
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags

Tags

cve@mitre.org
CWE-863
2024-10-09
CVE-2024-45160

CVSS Score

9.1 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Date

  • Published: Oct. 9, 2024, 5:15 a.m.
  • Last Modified: Oct. 10, 2024, 12:51 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.