Vulnerability Description
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lemonldap-Ng | Lemonldap\ | >= 2.0.0, <= 2.0.5, \ |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881Third Party Advisory
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/Third Party Advisory
- https://seclists.org/bugtraq/2019/Sep/46Mailing ListThird Party Advisory
- https://www.debian.org/security/2019/dsa-4533Third Party Advisory
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881Third Party Advisory
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/Third Party Advisory
- https://seclists.org/bugtraq/2019/Sep/46Mailing ListThird Party Advisory
- https://www.debian.org/security/2019/dsa-4533Third Party Advisory
FAQ
What is CVE-2019-15941?
CVE-2019-15941 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an ...
How severe is CVE-2019-15941?
CVE-2019-15941 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-15941?
Check the references section above for vendor advisories and patch information. Affected products include: Lemonldap-Ng Lemonldap\, Debian Debian Linux.