CVE Vulnerabilities

CVE-2021-40874

Improper Authentication

Published: Jul 18, 2022 | Modified: Jul 25, 2022
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Lemonldap::ng Lemonldap-ng 2.0.13 (including) 2.0.13 (including)
Lemonldap-ng Ubuntu bionic *
Lemonldap-ng Ubuntu esm-apps/bionic *
Lemonldap-ng Ubuntu esm-apps/focal *
Lemonldap-ng Ubuntu focal *
Lemonldap-ng Ubuntu impish *
Lemonldap-ng Ubuntu kinetic *
Lemonldap-ng Ubuntu lunar *
Lemonldap-ng Ubuntu mantic *
Lemonldap-ng Ubuntu trusty *
Lemonldap-ng Ubuntu xenial *

Potential Mitigations

References