Control: tags -1 + confirmed

On Thu, 2022-02-24 at 15:44 +0100, Yadd wrote:
> lemonldap-ng is vulnerable to password bypass (impact critical) in a
> very
> unlikely setup (probability very low). CVE-2021-40874
> 
> [ Impact ]
> In such configuration, a remote lemonldap-ng system that queries the
> main lemonldap-ng system using internal lemonldap-ng protocol instead
> of
> SAML/OpenID-Connect, accepts user with _wrong password; if and only
> if_
> main lemonldap-ng system is configured to use both Kerberos and LDAP
> authentication.
> 

Please go ahead.

Regards,

Adam

Reply via email to