CVE-2019-15941
lemonldap-ng - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.40%
Description
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
How to fix CVE-2019-15941
To remediate CVE-2019-15941, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.6+ds-1 or later
- —upgrade to 2.0.2+ds-7+deb10u2 or later
Is CVE-2019-15941 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.0.6+ds-1
- from 0, < 2.0.2+ds-7+deb10u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |