← Back to CVEs

CVE-2019-15941

CRITICAL

9.8

Description

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published9/25/2019

Last Modified5/28/2025

Sourcenvd

Honeypot Sightings0

Affected Products

debian:debian_linuxlemonldap-ng:lemonldap\

Weaknesses (CWE)

CWE-863

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881(cve@mitre.org)

https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/(cve@mitre.org)

https://seclists.org/bugtraq/2019/Sep/46(cve@mitre.org)

https://www.debian.org/security/2019/dsa-4533(cve@mitre.org)

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881(af854a3a-2127-422b-91ae-364da2661108)

https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/(af854a3a-2127-422b-91ae-364da2661108)

https://seclists.org/bugtraq/2019/Sep/46(af854a3a-2127-422b-91ae-364da2661108)

https://www.debian.org/security/2019/dsa-4533(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.