CVE-2019-15941
Summary
| CVE | CVE-2019-15941 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-09-25 20:15:00 UTC |
| Updated | 2020-08-18 15:05:00 UTC |
| Description | OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Application | Lemonldap-ng | Lemonldap | All | All | ||
| Application | Lemonldap-ng | Lemonldap | \ | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OW2 - lemonldap-ng.lemonldap-ng-2-0-6-is-out - LemonLDAP::NG 2.0.6 is out! | MISC | projects.ow2.org | Third Party Advisory |
| [Security:high] oidc authorization codes are not tied to their RP (#1881) · Issues · LemonLDAP NG / lemonldap-ng · GitLab | MISC | gitlab.ow2.org | Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4533-1] lemonldap-ng security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4533-1 lemonldap-ng | DEBIAN | www.debian.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.