CVE Vulnerability

CVE-2021-35472

An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539 Exploit Patch
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags Patch Third Party Advisory
https://www.debian.org/security/2021/dsa-4943 Third Party Advisory
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/8d3b763b6af2b8a9c4ad2765fbfabffec8a73af5 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:lemonldap-ng:lemonldap::ng:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Information

Published : 2021-07-30 02:15

Updated : 2021-08-11 03:31

NVD link : CVE-2021-35472

Mitre link : CVE-2021-35472

Products Affected
No products.
CWE
CWE-307

Improper Restriction of Excessive Authentication Attempts