[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3979-1] lemonldap-ng security update



-------------------------------------------------------------------------
Debian LTS Advisory DLA-3979-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
November 30, 2024                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : lemonldap-ng
Version        : 2.0.11+ds-4+deb11u6
CVE ID         : CVE-2024-48933 CVE-2024-52946 CVE-2024-52947
Debian Bug     : 1084979

Multiple vulnerabilities were discovered in Lemonldap::NG, an
OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead
to injection of arbitrary scripts or authorization bypass.

CVE-2024-48933

    Cross-site scripting (XSS) vulnerability which allows remote
    attackers to inject arbitrary web script or HTML into the login page
    via a username if ‘userControl’ has been set to a non-default value
    that allows special HTML characters.

CVE-2024-52946

    Improper Check during session refresh which allows an authenticated
    user to raise their authentication level if the admin configured an
    "Adaptative authentication rule" with an increment instead of an
    absolute value.

CVE-2024-52947

    Cross-site scripting (XSS) vulnerability which allows remote
    attackers to inject arbitrary web script or HTML via the ‘url’
    parameter of the upgrade session confirmation page (upgradeSession)
    if the "Upgrade session" plugin has been enabled by an admin.

For Debian 11 bullseye, these problems have been fixed in version
2.0.11+ds-4+deb11u6.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature


Reply to: