CVE-2023-44469

Published: Sep 29, 2023Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.

Affected (1)

Products: Lemonldap Ng: Lemonldap\

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lemonldap Ng Lemonldap\	Before 2.17.1

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (8)

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1

Source: cve@mitre.org

Issue TrackingRelease Notes

https://lists.debian.org/debian-lts-announce/2023/10/msg00014.html

Source: cve@mitre.org

https://security.lauritz-holtmann.de/post/sso-security-ssrf/

Source: cve@mitre.org

Not Applicable

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.17.1

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingRelease Notes

https://lists.debian.org/debian-lts-announce/2023/10/msg00014.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.lauritz-holtmann.de/post/sso-security-ssrf/

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

Timeline

No history available yet.