CVE-2023-28862
Summary
| CVE | CVE-2023-28862 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-03-31 17:15:00 UTC |
|---|
| Updated | 2023-07-14 13:15:00 UTC |
|---|
| Description | An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] [DLA 3496-1] lemonldap-ng security update |
MLIST |
lists.debian.org |
|
| Version 2.16.1 · LemonLDAP NG / lemonldap-ng · GitLab |
CONFIRM |
gitlab.ow2.org |
|
| [Security][CVE-2023-28862] AuthBasic does not handle failure correctly (#2896) · Issues · LemonLDAP NG / lemonldap-ng · GitLab |
MISC |
gitlab.ow2.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 181850 Debian Security Update for lemonldap-ng (CVE-2023-28862)
- 6000114 Debian Security Update for lemonldap-ng (DLA 3496-1)
