Control: tags -1 + confirmed On Thu, 2022-02-24 at 15:44 +0100, Yadd wrote: > lemonldap-ng is vulnerable to password bypass (impact critical) in a > very > unlikely setup (probability very low). CVE-2021-40874 > > [ Impact ] > In such configuration, a remote lemonldap-ng system that queries the > main lemonldap-ng system using internal lemonldap-ng protocol instead > of > SAML/OpenID-Connect, accepts user with _wrong password; if and only > if_ > main lemonldap-ng system is configured to use both Kerberos and LDAP > authentication. >
Please go ahead. Regards, Adam
