Login Sign Up

CVE-2019-19791

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in LemonLDAP::NG allows attackers to bypass authentication by manipulating URLs to access SOAP/REST endpoints that should be restricted. It affects systems using default Apache HTTP Server configurations with certain LemonLDAP::NG setup options. The bypass occurs when attackers insert 'index.fcgi/index.fcgi' into URLs to circumvent Require directives.

💻 Affected Systems

Products:
  • LemonLDAP::NG (lemonldap-ng)
Versions: All versions before 2.0.7
Operating Systems: Any OS running Apache HTTP Server with LemonLDAP::NG
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using certain LemonLDAP::NG setup options with default Apache configurations.

📦 What is this software?

Lemonldap\ by Lemonldap Ng

View all CVEs affecting Lemonldap\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing unauthorized access to protected resources, potentially leading to data theft, privilege escalation, or full system compromise.

🟠

Likely Case

Unauthorized access to sensitive endpoints and protected resources that should require authentication.

🟢

If Mitigated

No impact if proper access controls and updated configurations are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of specific URL manipulation technique but is straightforward once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.7

Vendor Advisory: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade LemonLDAP::NG to version 2.0.7 or later. 3. Restart Apache HTTP Server. 4. Verify the fix by testing authentication bypass attempts.

🔧 Temporary Workarounds

Manual Apache Configuration Update

linux

Modify Apache configuration to properly restrict access to SOAP/REST endpoints

Edit Apache configuration files to add proper Require directives and LocationMatch blocks for all SOAP/REST endpoints

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable systems from untrusted networks
  • Deploy web application firewall (WAF) rules to detect and block URL manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running LemonLDAP::NG version earlier than 2.0.7 and using default Apache configuration with SOAP/REST endpoints

Check Version:

lemonldap-ng-cli --version or check package manager (apt list --installed | grep lemonldap-ng)

Verify Fix Applied:

Test authentication bypass by attempting to access protected endpoints with 'index.fcgi/index.fcgi' inserted in URLs

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to SOAP/REST endpoints
  • Failed authentication attempts followed by successful access
  • URLs containing 'index.fcgi/index.fcgi' pattern

Network Indicators:

  • HTTP requests with manipulated URLs containing duplicate path elements
  • Access to protected endpoints without proper authentication headers

SIEM Query:

source="apache_access.log" AND (url="*index.fcgi/index.fcgi*" OR status=200 AND url="*/soap/*" OR url="*/rest/*")

📊 Metadata

CVE ID: CVE-2019-19791
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 29, 2023
Last Updated: January 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON