An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lemonldap::ng | Lemonldap-ng | 2.0.13 (including) | 2.0.13 (including) |
| Lemonldap-ng | Ubuntu | bionic | * |
| Lemonldap-ng | Ubuntu | esm-apps/bionic | * |
| Lemonldap-ng | Ubuntu | esm-apps/focal | * |
| Lemonldap-ng | Ubuntu | focal | * |
| Lemonldap-ng | Ubuntu | impish | * |
| Lemonldap-ng | Ubuntu | kinetic | * |
| Lemonldap-ng | Ubuntu | lunar | * |
| Lemonldap-ng | Ubuntu | mantic | * |
| Lemonldap-ng | Ubuntu | oracular | * |
| Lemonldap-ng | Ubuntu | plucky | * |
| Lemonldap-ng | Ubuntu | trusty | * |
| Lemonldap-ng | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html