Missing Expiration Check in OAuth2.0 Handler Confirms Access Token Validity Vulnerability
CVE-2021-35473

9.1CRITICAL

Key Information:

Vendor: LemonLDAP::NG
Vendor: CVE Published:; 10 November 2024

🔔 Create LemonLDAP::NG Vulnerability Alert

What is CVE-2021-35473?

A security vulnerability in LemonLDAP::NG affects the OAuth2.0 handler, specifically due to a missing expiration check. This oversight permits attackers to exploit expired access tokens from OpenID Connect (OIDC) clients, gaining unauthorized access to the OAuth2 handler. The vulnerability is present in all versions before 2.0.12, highlighting the need for updates to secure access token validation.

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2024
Vulnerability Reserved
Jun 23, 2021

CVE-2021-35473 Data

JSON