CVE-2023-28862

Name of the Vulnerable Software and Affected Versions LemonLDAP::NG versions prior to 2.16.1

Description An issue was discovered in LemonLDAP::NG that allows attackers to bypass 2FA verification due to weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.

Recommendations For versions prior to 2.16.1, update to version 2.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the AuthBasic handler until a patch is available. Restrict access to plugins that try to deny session creation after the store step to minimize the risk of exploitation.