Vulnerability Description
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lemonldap-Ng | Lemonldap\ | < 2.16.1, \ |
Related Weaknesses (CWE)
References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896ExploitIssue TrackingPatch
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1Release Notes
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896ExploitIssue TrackingPatch
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1Release Notes
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
FAQ
What is CVE-2023-28862?
CVE-2023-28862 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verific...
How severe is CVE-2023-28862?
CVE-2023-28862 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-28862?
Check the references section above for vendor advisories and patch information. Affected products include: Lemonldap-Ng Lemonldap\.