Maxime Besson

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions 2.18.x through 2.19.1 **Description** The issue is related to incorrect credential validation, allowing attackers to bypass OAuth2 client authentication. This can be achieved by providing an empty `client password` parameter, which is also known as the client secret. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For LemonLDAP::NG versions 2.18.x through 2.19.1, update to version 2.19.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the OAuth2 client authentication mechanism until a patch is available. Avoid using an empty `client password` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG version 2.0.13 **Description** An issue was discovered in LemonLDAP::NG when using the RESTServer plug-in for a REST password validation service and the Kerberos authentication method combined with another method using the Combination authentication plug-in. In this scenario, any password will be recognized as valid for an existing user. **Recommendations** For LemonLDAP::NG version 2.0.13, consider disabling the Combination authentication plug-in or the Kerberos authentication method as a temporary workaround until a patch is available. Restrict access to the REST password validation service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions prior to 2.0.9 **Description** The issue concerns the validity of X.509 certificates not being checked by default when connecting to remote LDAP backends. This is due to the default configuration of the Net::LDAPS module for Perl being used. **Recommendations** For versions prior to 2.0.9, update to version 2.0.9 or later to ensure the validity of X.509 certificates is properly checked when connecting to remote LDAP backends.

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions through 2.0.8 Lemonldap::NG handler for Node.js versions before 0.5.2 **Description** An issue in LemonLDAP::NG allows an attacker to bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This is related to errors in security mechanisms, which can allow a remote attacker to gain unauthorized access to information. When access rules are used inside a protected host, some URL encodings may bypass the filtering system. **Recommendations** For LemonLDAP::NG versions through 2.0.8, update to a version that includes the patch for this issue. For Lemonldap::NG handler for Node.js versions before 0.5.2, update to version 0.5.2 or later, which includes a patch that fixes the vulnerability. As a temporary workaround, consider restricting access to protected Virtual Hosts until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions 2.x through 2.0.5 **Description** The issue is related to improper authorization in the OpenID Connect Issuer of LemonLDAP::NG. It allows an attacker to bypass access control rules via a crafted OpenID Connect authorization request. This can happen if there exists an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. Exploitation of this issue may allow a remote attacker to gain unauthorized access to information, compromising its integrity and availability, by using a specially crafted OpenID Connect authorization request. **Recommendations** For LemonLDAP::NG versions 2.x through 2.0.5, consider disabling the OpenID Connect Issuer feature until a patch is available, or ensure that all OIDC Relaying parties have strong access control rules and implement filtering on redirection URIs to minimize the risk of exploitation.