Vulnerability Description
Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).
CVSS Score
9.1
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Related Weaknesses (CWE)
References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/06d771cbc2d5c752354c50
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/236cdfe42c1dc04a15a4a4
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/696f49a0855faeb271096d
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3223
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags
FAQ
What is CVE-2024-45160?
CVE-2024-45160 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).
How severe is CVE-2024-45160?
CVE-2024-45160 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-45160?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.