CVE-2024-45160

Name of the Vulnerable Software and Affected Versions LemonLDAP::NG versions 2.18.x through 2.19.1

Description The issue is related to incorrect credential validation, allowing attackers to bypass OAuth2 client authentication. This can be achieved by providing an empty client password parameter, which is also known as the client secret. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited.

Recommendations For LemonLDAP::NG versions 2.18.x through 2.19.1, update to version 2.19.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the OAuth2 client authentication mechanism until a patch is available. Avoid using an empty client password parameter in the affected API endpoint until the issue is resolved.