Vulnerability-Lookup

CVE-2012-6426 (GCVE-0-2012-6426)

Vulnerability from cvelistv5 – Published: 2013-01-01 15:00 – Updated: 2024-09-16 19:41

Summary

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://jira.ow2.org/browse/LEMONLDAP-570	x_refsource_CONFIRM
	http://openwall.com/lists/oss-security/2012/12/19/6	mailing-listx_refsource_MLIST
	http://openwall.com/lists/oss-security/2012/12/20/6	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:28:39.922Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
          },
          {
            "name": "[oss-security] 20121219 [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
          },
          {
            "name": "[oss-security] 20121220 Re: [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-01-01T15:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
        },
        {
          "name": "[oss-security] 20121219 [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
        },
        {
          "name": "[oss-security] 20121220 Re: [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2012-6426",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://jira.ow2.org/browse/LEMONLDAP-570",
              "refsource": "CONFIRM",
              "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
            },
            {
              "name": "[oss-security] 20121219 [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
            },
            {
              "name": "[oss-security] 20121220 Re: [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
              "refsource": "MLIST",
              "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2012-6426",
    "datePublished": "2013-01-01T15:00:00Z",
    "dateReserved": "2012-12-18T00:00:00Z",
    "dateUpdated": "2024-09-16T19:41:54.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2.2\", \"matchCriteriaId\": \"ED6058D6-728B-4D2B-9831-DB79B8638E02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9D5DE397-22D0-4DFC-8884-ED827206C03D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.7:beta:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF1264A0-364B-439D-BCB0-8FF2BE171C90\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"238F6C20-6F9B-4A0C-922C-08630D25A878\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4CFA94B9-AF1D-45E6-9006-F6F3356570EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6C8BE385-2C6F-4B94-9C02-EC7819A8F820\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.8.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AEE5003B-9C4F-4DDE-8A10-436D69415943\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"528F1593-406A-4170-9D59-6A55638FC665\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"364F986D-011F-43F7-9170-DC5223816230\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ACEACC11-E67E-45BF-98F3-D8D76B97B573\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ACF2B52B-6ACC-44A6-BEDB-1B12DAE6B72F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB76D1B0-F3DE-4F48-BFF9-6F73B43D4CBB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"368C6300-8CD1-48E5-A334-D820B78C28C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"3E237CD3-C059-4F01-A4CC-0756465343DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"5BD61823-C2D8-495D-90A3-CB932FBF6AC5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1247A28C-C3DE-4F11-8FB6-8D74CC5D967A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C3068CC-3698-438C-B4CE-E5325621257A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CFB792BC-D101-4337-9850-369576BA4633\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CED00DFE-0004-4D64-A740-37507061413E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"786D892E-575D-4525-A332-550D36055A99\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85EB1328-D97B-4670-9F75-48ABFFF354DD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C365B18-C226-432C-BE2B-2DF750A85866\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"434705C1-C2FE-43F6-BB90-45BD0A57DFF6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B47A073C-D194-46B2-BF53-26286A9592A8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9EDCFAB-F8EA-4CF1-8A41-CD223239A0B7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D9C9784C-9CB6-4CC4-B25C-BB07E448E9FF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.\"}, {\"lang\": \"es\", \"value\": \"LemonLDAP::NG antes de v1.2.3 no utiliza la capacidad de verificaci\\u00f3n de firma de la biblioteca Lasso, lo que permite a atacantes remotos evitar restricciones de control de acceso a trav\\u00e9s de los datos SAML elaborados.\"}]",
      "id": "CVE-2012-6426",
      "lastModified": "2024-11-21T01:46:05.963",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2013-01-01T15:55:02.493",
      "references": "[{\"url\": \"http://jira.ow2.org/browse/LEMONLDAP-570\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"http://openwall.com/lists/oss-security/2012/12/19/6\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://openwall.com/lists/oss-security/2012/12/20/6\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://jira.ow2.org/browse/LEMONLDAP-570\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://openwall.com/lists/oss-security/2012/12/19/6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://openwall.com/lists/oss-security/2012/12/20/6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2012-6426\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2013-01-01T15:55:02.493\",\"lastModified\":\"2025-05-28T17:23:02.190\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.\"},{\"lang\":\"es\",\"value\":\"LemonLDAP::NG antes de v1.2.3 no utiliza la capacidad de verificaci\u00f3n de firma de la biblioteca Lasso, lo que permite a atacantes remotos evitar restricciones de control de acceso a trav\u00e9s de los datos SAML elaborados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D5DE397-22D0-4DFC-8884-ED827206C03D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.7:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF1264A0-364B-439D-BCB0-8FF2BE171C90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"238F6C20-6F9B-4A0C-922C-08630D25A878\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"528F1593-406A-4170-9D59-6A55638FC665\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"368C6300-8CD1-48E5-A334-D820B78C28C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E237CD3-C059-4F01-A4CC-0756465343DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\::1.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BD61823-C2D8-495D-90A3-CB932FBF6AC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.2\",\"matchCriteriaId\":\"716485DA-2ACE-40E9-946D-6C0D7A2E5709\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"857A8822-238E-4A3E-8293-D45384EAA37F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE3C5F89-E040-4CD0-B30C-9D87007227CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.8.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B06F9784-2012-44FD-862F-B3AF351B5CF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B3A7F3-05B2-4B87-A66E-2F70F9918DD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"554072EE-2A17-4988-8470-ABEDFB1D02AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.9.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B58AB9F-06A5-4EB3-A1B3-713D05C14E83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:0.9.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2879AE4D-41D8-4402-B310-B4AB998EA37F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22209E9C-7C1A-4047-B98D-924EBE8D8255\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A586686-9A6A-4E8B-8085-9A080BCDA7D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"13BA6093-E3C6-4FAF-AABE-6AF570D919F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C009D0C2-D885-479F-B650-D44DECDEA0CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16315F68-A052-4437-80D8-FB70F2C849F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7018C0D4-5995-4F44-86D0-B9DF49D18222\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"366AB20B-80A7-4F82-8398-29C852389E8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"944D6801-AC4F-41EF-A250-1A314C94CEFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99C5C9FE-778B-49A0-8349-14A26E90AE7D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6CBE4BA-8A6B-423C-AA76-BE375A6EB58E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:lemonldap-ng:lemonldap\\\\:\\\\:ng:1.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF920EA2-B35C-42F3-B27D-610A79A76AEE\"}]}]}],\"references\":[{\"url\":\"http://jira.ow2.org/browse/LEMONLDAP-570\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://openwall.com/lists/oss-security/2012/12/19/6\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://openwall.com/lists/oss-security/2012/12/20/6\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://jira.ow2.org/browse/LEMONLDAP-570\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://openwall.com/lists/oss-security/2012/12/19/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://openwall.com/lists/oss-security/2012/12/20/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GHSA-9Q8M-R734-6GG5

Vulnerability from github – Published: 2022-05-17 05:17 – Updated: 2022-05-17 05:17

Details

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2012-6426"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-01T15:55:00Z",
    "severity": "HIGH"
  },
  "details": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.",
  "id": "GHSA-9q8m-r734-6gg5",
  "modified": "2022-05-17T05:17:03Z",
  "published": "2022-05-17T05:17:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6426"
    },
    {
      "type": "WEB",
      "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2012-6426

Vulnerability from fkie_nvd - Published: 2013-01-01 15:55 - Updated: 2025-05-28 17:23

Severity ?

Summary

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

References

URL	Tags
cve@mitre.org	http://jira.ow2.org/browse/LEMONLDAP-570	Patch
cve@mitre.org	http://openwall.com/lists/oss-security/2012/12/19/6
cve@mitre.org	http://openwall.com/lists/oss-security/2012/12/20/6
af854a3a-2127-422b-91ae-364da2661108	http://jira.ow2.org/browse/LEMONLDAP-570	Patch
af854a3a-2127-422b-91ae-364da2661108	http://openwall.com/lists/oss-security/2012/12/19/6
af854a3a-2127-422b-91ae-364da2661108	http://openwall.com/lists/oss-security/2012/12/20/6

Impacted products

Vendor	Product	Version
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\
lemonldap-ng	lemonldap\	\

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D5DE397-22D0-4DFC-8884-ED827206C03D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.7:beta:*:*:*:*:*:*",
              "matchCriteriaId": "EF1264A0-364B-439D-BCB0-8FF2BE171C90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "238F6C20-6F9B-4A0C-922C-08630D25A878",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "528F1593-406A-4170-9D59-6A55638FC665",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "368C6300-8CD1-48E5-A334-D820B78C28C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3E237CD3-C059-4F01-A4CC-0756465343DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5BD61823-C2D8-495D-90A3-CB932FBF6AC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "716485DA-2ACE-40E9-946D-6C0D7A2E5709",
              "versionEndIncluding": "1.2.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "857A8822-238E-4A3E-8293-D45384EAA37F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE3C5F89-E040-4CD0-B30C-9D87007227CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.8.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B06F9784-2012-44FD-862F-B3AF351B5CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "45B3A7F3-05B2-4B87-A66E-2F70F9918DD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "554072EE-2A17-4988-8470-ABEDFB1D02AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B58AB9F-06A5-4EB3-A1B3-713D05C14E83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:0.9.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "2879AE4D-41D8-4402-B310-B4AB998EA37F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "22209E9C-7C1A-4047-B98D-924EBE8D8255",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A586686-9A6A-4E8B-8085-9A080BCDA7D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "13BA6093-E3C6-4FAF-AABE-6AF570D919F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "C009D0C2-D885-479F-B650-D44DECDEA0CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "16315F68-A052-4437-80D8-FB70F2C849F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "7018C0D4-5995-4F44-86D0-B9DF49D18222",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "366AB20B-80A7-4F82-8398-29C852389E8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "944D6801-AC4F-41EF-A250-1A314C94CEFC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "99C5C9FE-778B-49A0-8349-14A26E90AE7D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6CBE4BA-8A6B-423C-AA76-BE375A6EB58E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\:ng:1.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF920EA2-B35C-42F3-B27D-610A79A76AEE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data."
    },
    {
      "lang": "es",
      "value": "LemonLDAP::NG antes de v1.2.3 no utiliza la capacidad de verificaci\u00f3n de firma de la biblioteca Lasso, lo que permite a atacantes remotos evitar restricciones de control de acceso a trav\u00e9s de los datos SAML elaborados."
    }
  ],
  "id": "CVE-2012-6426",
  "lastModified": "2025-05-28T17:23:02.190",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-01-01T15:55:02.493",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2012-6426

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

Aliases

CVE-2012-6426

Aliases

CVE-2012-6426

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2012-6426",
    "description": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.",
    "id": "GSD-2012-6426"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2012-6426"
      ],
      "details": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.",
      "id": "GSD-2012-6426",
      "modified": "2023-12-13T01:20:17.458377Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2012-6426",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://jira.ow2.org/browse/LEMONLDAP-570",
            "refsource": "CONFIRM",
            "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
          },
          {
            "name": "[oss-security] 20121219 [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
            "refsource": "MLIST",
            "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
          },
          {
            "name": "[oss-security] 20121220 Re: [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
            "refsource": "MLIST",
            "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.2.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.8.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::1.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.9.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:lemonldap-ng:lemonldap\\:\\::0.7:beta:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2012-6426"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20121220 Re: [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://openwall.com/lists/oss-security/2012/12/20/6"
            },
            {
              "name": "[oss-security] 20121219 [CVE-2012-6426] LemonLDAP-NG SAML XML Signature Wrapping",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://openwall.com/lists/oss-security/2012/12/19/6"
            },
            {
              "name": "http://jira.ow2.org/browse/LEMONLDAP-570",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2013-01-07T05:00Z",
      "publishedDate": "2013-01-01T15:55Z"
    }
  }
}

CERTA-2012-AVI-753

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été corrigée dans LemonLDAP::NG. Elle concerne la bibliothèque Lasso qui ne vérifie pas les signatures SAML. Un utilisateur malintentionné peut ainsi usurper l'identité d'un autre utilisateur.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	LemonLDAP::NG version 1.0
N/A	N/A	LemonLDAP::NG version 1.2.0
N/A	N/A	LemonLDAP::NG version 1.2.2
N/A	N/A	LemonLDAP::NG version 1.2.1
N/A	N/A	LemonLDAP::NG version 1.1.0

References

Title

Publication Time

Tags

Bulletin de sécurité OW2 LEMONLDAP-570 du 19 décembre 2012

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "LemonLDAP::NG version 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2012-6426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-6426"
    }
  ],
  "links": [],
  "reference": "CERTA-2012-AVI-753",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2012-12-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan\nclass=\"textit\"\u003eLemonLDAP::NG\u003c/span\u003e. Elle concerne la biblioth\u00e8que \u003cspan\nclass=\"textit\"\u003eLasso\u003c/span\u003e qui ne v\u00e9rifie pas les signatures SAML. Un\nutilisateur malintentionn\u00e9 peut ainsi usurper l\u0027identit\u00e9 d\u0027un autre\nutilisateur.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans LemonLDAP::NG",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 OW2 LEMONLDAP-570 du 19 d\u00e9cembre 2012",
      "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
    }
  ]
}

CERTA-2012-AVI-753

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
N/A	N/A	LemonLDAP::NG version 1.0
N/A	N/A	LemonLDAP::NG version 1.2.0
N/A	N/A	LemonLDAP::NG version 1.2.2
N/A	N/A	LemonLDAP::NG version 1.2.1
N/A	N/A	LemonLDAP::NG version 1.1.0

References

Title

Publication Time

Tags

Bulletin de sécurité OW2 LEMONLDAP-570 du 19 décembre 2012

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "LemonLDAP::NG version 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.2.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "LemonLDAP::NG version 1.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2012-6426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-6426"
    }
  ],
  "links": [],
  "reference": "CERTA-2012-AVI-753",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2012-12-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan\nclass=\"textit\"\u003eLemonLDAP::NG\u003c/span\u003e. Elle concerne la biblioth\u00e8que \u003cspan\nclass=\"textit\"\u003eLasso\u003c/span\u003e qui ne v\u00e9rifie pas les signatures SAML. Un\nutilisateur malintentionn\u00e9 peut ainsi usurper l\u0027identit\u00e9 d\u0027un autre\nutilisateur.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans LemonLDAP::NG",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 OW2 LEMONLDAP-570 du 19 d\u00e9cembre 2012",
      "url": "http://jira.ow2.org/browse/LEMONLDAP-570"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2012-6426 (GCVE-0-2012-6426)

GHSA-9Q8M-R734-6GG5

FKIE_CVE-2012-6426

GSD-2012-6426

CERTA-2012-AVI-753

Solution

CERTA-2012-AVI-753

Solution

Tags

Sightings

Nomenclature