CVE-2023-28862

EUVD-2023-32483
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
lemonldap-nglemonldap\
𝑥
< 2.16.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lemonldap-ng
bookworm
2.16.1+ds-deb12u3
fixed
bullseye
2.0.11+ds-4+deb11u5
fixed
bullseye (security)
2.0.11+ds-4+deb11u6
fixed
sid
2.20.1+ds-1
fixed
trixie
2.20.1+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lemonldap-ng
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html