An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "lemonldap-ng", "binary_version": "2.18.2+ds-1" }, { "binary_name": "lemonldap-ng-doc", "binary_version": "2.18.2+ds-1" }, { "binary_name": "lemonldap-ng-fastcgi-server", "binary_version": "2.18.2+ds-1" }, { "binary_name": "lemonldap-ng-handler", "binary_version": "2.18.2+ds-1" }, { "binary_name": "lemonldap-ng-uwsgi-app", "binary_version": "2.18.2+ds-1" }, { "binary_name": "liblemonldap-ng-common-perl", "binary_version": "2.18.2+ds-1" }, { "binary_name": "liblemonldap-ng-handler-perl", "binary_version": "2.18.2+ds-1" }, { "binary_name": "liblemonldap-ng-manager-perl", "binary_version": "2.18.2+ds-1" }, { "binary_name": "liblemonldap-ng-portal-perl", "binary_version": "2.18.2+ds-1" }, { "binary_name": "liblemonldap-ng-ssoaas-apache-client-perl", "binary_version": "2.18.2+ds-1" } ] }