CVE-2019-15941

Name of the Vulnerable Software and Affected Versions LemonLDAP::NG versions 2.x through 2.0.5

Description The issue is related to improper authorization in the OpenID Connect Issuer of LemonLDAP::NG. It allows an attacker to bypass access control rules via a crafted OpenID Connect authorization request. This can happen if there exists an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. Exploitation of this issue may allow a remote attacker to gain unauthorized access to information, compromising its integrity and availability, by using a specially crafted OpenID Connect authorization request.

Recommendations For LemonLDAP::NG versions 2.x through 2.0.5, consider disabling the OpenID Connect Issuer feature until a patch is available, or ensure that all OIDC Relaying parties have strong access control rules and implement filtering on redirection URIs to minimize the risk of exploitation.