CVE-2019-12046: anonymous session allowed when tokens are stored in session DB
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lemonldap-ng (Debian) |
Fix Released
|
Unknown
|
|||
lemonldap-ng (Ubuntu) |
Confirmed
|
High
|
Unassigned |
Bug Description
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [high] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here:
* 1.9.x series (Bionix/Cosmic): https:/
* 2.0.x series (Disco): https:/
1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.
For more, see:
- https:/
- https:/
- https:/
- https:/
Cheers,
Xavier (yadd) <email address hidden>
CVE References
Changed in lemonldap-ng (Debian): | |
status: | Unknown → Fix Released |
Fix for Xenial can be inspired from https:/ /gitlab. ow2.org/ lemonldap- ng/lemonldap- ng/commit/ 3a21d1d9dd6b6db 1b937244e559dfd 5bef77e3c4