#VU100227 Improper privilege management in LemonLDAP::NG

Cybersecurity Help s.r.o.

Published: 2024-11-11

Vulnerability identifier: #VU100227

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: N/A

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LemonLDAP::NG
Web applications / Other software

Vendor: LemonLDAP::NG

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to an error when assigning privileges via the "Refresh my rights" feature. A remote user can login to the application and click on the "Refresh my rights" to obtain higher privileges within the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LemonLDAP::NG: 2.0.0 - 2.20.0

External links
https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-20-1-is-out/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora EPEL 9 update for lemonldap-ng

Fedora EPEL 8 update for lemonldap-ng

Fedora 41 update for lemonldap-ng

Fedora 39 update for lemonldap-ng

Fedora 40 update for lemonldap-ng

Multiple vulnerabilities in LemonLDAP::NG