CVE-2019-19791

critical

Description

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

References

https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-7-is-out

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943

Details

Source: Mitre, NVD

Published: 2023-05-29

Updated: 2025-01-14

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00031