CVE-2024-45160
📋 TL;DR
This vulnerability allows attackers to bypass OAuth2 client authentication in LemonLDAP::NG by sending an empty client_password parameter. Attackers can impersonate legitimate OAuth2 clients without valid credentials. Organizations using affected LemonLDAP::NG versions as an identity provider with OAuth2 are impacted.
💻 Affected Systems
- LemonLDAP::NG
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to protected resources, impersonate legitimate users, and potentially compromise entire authentication infrastructure.
Likely Case
Unauthorized access to applications relying on LemonLDAP::NG OAuth2 authentication, leading to data breaches and privilege escalation.
If Mitigated
Limited impact with proper network segmentation, monitoring, and additional authentication layers.
🎯 Exploit Status
Exploitation requires sending specially crafted OAuth2 requests with empty client_password parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.2
Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags
Restart Required: Yes
Instructions:
1. Backup current configuration and data
2. Update LemonLDAP::NG to version 2.19.2 or later
3. Restart LemonLDAP::NG service
4. Verify OAuth2 authentication is working correctly
🔧 Temporary Workarounds
Disable OAuth2 client authentication
allTemporarily disable OAuth2 client authentication until patching is complete
Edit LemonLDAP::NG configuration to remove or comment out OAuth2 client authentication settings
Network access restrictions
linuxRestrict access to OAuth2 endpoints using firewall rules
iptables -A INPUT -p tcp --dport [oauth2-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [oauth2-port] -j DROP
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block requests with empty client_password parameters
- Enable additional authentication factors for OAuth2 clients
🔍 How to Verify
Check if Vulnerable:
Check LemonLDAP::NG version and test OAuth2 authentication with empty client_password parameterCheck Version:
perl -MLemonldap::NG::Portal -e 'print $Lemonldap::NG::Portal::VERSION'Verify Fix Applied:
Test OAuth2 authentication with empty client_password parameter - should be rejected after patch📡 Detection & Monitoring
Log Indicators:
- OAuth2 authentication attempts with empty client_password parameter
- Successful authentications from unexpected clients
Network Indicators:
- HTTP POST requests to OAuth2 token endpoint with empty password field
- Unusual authentication patterns
SIEM Query:
source="lemonldap.log" AND "client_password=" AND ("" OR "null" OR "empty")🔗 References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/06d771cbc2d5c752354c50f83e4912e5879f9aa2
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/236cdfe42c1dc04a15a4a40c5e6a8c2e858d71d7
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/696f49a0855faeb271096dccb8381e2129687c3d
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3223
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags
