Vulnerability Details CVE-2023-28862
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.3%
CVSS Severity
CVSS v3 Score 9.8
References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
Products affected by CVE-2023-28862
-
cpe:2.3:a:lemonldap-ng:lemonldap: