An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Lemonldap::ng | Lemonldap-ng | 2.0.13 (including) | 2.0.13 (including) |
Lemonldap-ng | Ubuntu | bionic | * |
Lemonldap-ng | Ubuntu | esm-apps/bionic | * |
Lemonldap-ng | Ubuntu | esm-apps/focal | * |
Lemonldap-ng | Ubuntu | focal | * |
Lemonldap-ng | Ubuntu | impish | * |
Lemonldap-ng | Ubuntu | kinetic | * |
Lemonldap-ng | Ubuntu | lunar | * |
Lemonldap-ng | Ubuntu | mantic | * |
Lemonldap-ng | Ubuntu | trusty | * |
Lemonldap-ng | Ubuntu | xenial | * |