Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Lemonldap::ng Security Vulnerabilities

cve
cve

CVE-2019-19791

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directiv...

9.8CVSS

9.3AI Score

0.002EPSS

2023-05-29 07:15 PM
21
cve
cve

CVE-2020-16093

In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.

7.5CVSS

7.5AI Score

0.001EPSS

2022-07-18 12:15 AM
37
25
cve
cve

CVE-2020-24660

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

9.8CVSS

9.1AI Score

0.019EPSS

2020-09-14 01:15 PM
50
cve
cve

CVE-2021-35472

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.

8.8CVSS

8.8AI Score

0.008EPSS

2021-07-30 02:15 PM
44
cve
cve

CVE-2021-40874

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authen...

9.8CVSS

9.6AI Score

0.003EPSS

2022-07-18 12:15 AM
42
11
cve
cve

CVE-2022-37186

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

5.9CVSS

5.6AI Score

0.001EPSS

2023-04-16 02:15 AM
35
cve
cve

CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBas...

9.8CVSS

9.3AI Score

0.001EPSS

2023-03-31 05:15 PM
18
cve
cve

CVE-2023-44469

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.

4.3CVSS

4.7AI Score

0.152EPSS

2023-09-29 07:15 AM
23