CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.

Published: Mar 31, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-28862
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
lemonldap-ng / lemonldap--ng	-	2.16.1

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html

Vulnerability Database

CVE-2023-28862