CVE-2024-45160

NameCVE-2024-45160
DescriptionIncorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lemonldap-ng (PTS)jessie, jessie (lts)1.3.3-1+deb8u2fixed
stretch (security), stretch (lts), stretch1.9.7-3+deb9u4fixed
buster (security), buster, buster (lts)2.0.2+ds-7+deb10u10fixed
bullseye2.0.11+ds-4+deb11u5fixed
bookworm2.16.1+ds-deb12u3fixed
sid, trixie2.20.1+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lemonldap-ngsourcejessie(not affected)
lemonldap-ngsourcestretch(not affected)
lemonldap-ngsourcebuster(not affected)
lemonldap-ngsourcebullseye(not affected)
lemonldap-ngsourcebookworm(not affected)
lemonldap-ngsource(unstable)2.19.2+ds-1

Notes

[bookworm] - lemonldap-ng <not-affected> (Vulnerable code not present)
[bullseye] - lemonldap-ng <not-affected> (Vulnerable code not present)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3223
Introduced by: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/06d771cbc2d5c752354c50f83e4912e5879f9aa2 (v2.18.0)
Unit test: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/236cdfe42c1dc04a15a4a40c5e6a8c2e858d71d7 (v2.19.2)
Fixed by: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/696f49a0855faeb271096dccb8381e2129687c3d (v2.19.2)
[buster] - lemonldap-ng <not-affected> (Vulnerable code not present)
[stretch] - lemonldap-ng <not-affected> (Vulnerable code not present)
[jessie] - lemonldap-ng <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems