Candidate: CVE-2019-15941
PublicDate: 2019-09-25 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15941
Description:
 OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an
 attacker to bypass access control rules via a crafted OpenID Connect
 authorization request. To be vulnerable, there must exist an OIDC Relaying
 party within the LemonLDAP configuration with weaker access control rules
 than the target RP, and no filtering on redirection URIs.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_lemonldap-ng:
upstream_lemonldap-ng: released (2.0.6+ds-1)
precise/esm_lemonldap-ng: DNE
trusty_lemonldap-ng: ignored (out of standard support)
trusty/esm_lemonldap-ng: DNE
xenial_lemonldap-ng: ignored (end of standard support, was needs-triage)
bionic_lemonldap-ng: needs-triage
disco_lemonldap-ng: ignored (reached end-of-life)
eoan_lemonldap-ng: ignored (reached end-of-life)
focal_lemonldap-ng: not-affected (2.0.6+ds-2)
groovy_lemonldap-ng: not-affected (2.0.6+ds-2)
hirsute_lemonldap-ng: not-affected (2.0.6+ds-2)
impish_lemonldap-ng: not-affected (2.0.6+ds-2)
jammy_lemonldap-ng: not-affected (2.0.6+ds-2)
devel_lemonldap-ng: not-affected (2.0.6+ds-2)