A Server-Side Request Forgery issue in the OpenID Connect Issuer in
LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send
GET requests to arbitrary URLs through the request_uri authorization
parameter. This is similar to CVE-2020-10770.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | lemonldap-ng | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | lemonldap-ng | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | lemonldap-ng | <Â any | UNKNOWN |
ubuntu | 23.10 | noarch | lemonldap-ng | <Â any | UNKNOWN |
ubuntu | 24.04 | noarch | lemonldap-ng | <Â any | UNKNOWN |
ubuntu | 16.04 | noarch | lemonldap-ng | <Â any | UNKNOWN |
gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1
launchpad.net/bugs/cve/CVE-2023-44469
nvd.nist.gov/vuln/detail/CVE-2023-44469
security-tracker.debian.org/tracker/CVE-2023-44469
security.lauritz-holtmann.de/post/sso-security-ssrf/
www.cve.org/CVERecord?id=CVE-2023-44469