A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | lemonldap-ng | <Â 2.16.1+ds-deb12u2 | lemonldap-ng_2.16.1+ds-deb12u2_all.deb |
Debian | 11 | all | lemonldap-ng | <Â 2.0.11+ds-4+deb11u5 | lemonldap-ng_2.0.11+ds-4+deb11u5_all.deb |
Debian | 10 | all | lemonldap-ng | <Â 2.0.2+ds-7+deb10u10 | lemonldap-ng_2.0.2+ds-7+deb10u10_all.deb |
Debian | 999 | all | lemonldap-ng | <Â 2.17.1+ds-1 | lemonldap-ng_2.17.1+ds-1_all.deb |
Debian | 13 | all | lemonldap-ng | <Â 2.17.1+ds-1 | lemonldap-ng_2.17.1+ds-1_all.deb |