during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
Hi all,
during an internal audit, one of lemonldap-ng's developers discovered an
attack vector. It opens 3 security issues:
- [high] for 2.0.0 ≤ version < 2.0.4: when CSRF tokens are
enabled (default) and tokens are stored in session DB (not default,
used with poor load-balancers), the token can be used to open an
anonymous short-life session (2mn). It allows one to access to all
aplications without additional rules
- [medium] for every versions < 2.0.4 or 1.9.19 when SAML/OIDC tokens are
stored in sessions DB (not default), tokens can be used to have an
anonymous session
- [low] for every versions < 2.0.4 or 1.9.19: when self-registration
is allowed, mail token can be used to have an anonymous session.
You can find Debian patchs here: /salsa. debian. org/perl- team/modules/ packages/ lemonldap- ng/blob/ stretch- security/ debian/ patches/ CVE-2019- 12046.patch /salsa. debian. org/perl- team/modules/ packages/ lemonldap- ng/blob/ master/ debian/ patches/ CVE-2019- 12046.patch
* 1.9.x series (Bionix/Cosmic): https:/
* 2.0.x series (Disco): https:/
1.9.x patch can be backported to 1.4.x series (Xenial), not fully tested.
For more, see: /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 928944 /gitlab. ow2.org/ lemonldap- ng/lemonldap- ng/issues/ 1742 /gitlab. ow2.org/ lemonldap- ng/lemonldap- ng/issues/ 1743 /gitlab. ow2.org/ lemonldap- ng/lemonldap- ng/issues/ 1744
- https:/
- https:/
- https:/
- https:/
Cheers,
Xavier (yadd) <email address hidden>