CVE-2019-15941 in LemonLDAP::NG
Summary
by MITRE
OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/28/2025
The vulnerability identified as CVE-2019-15941 affects LemonLDAP::NG versions 2.x through 2.0.5, specifically within the OpenID Connect Issuer component. This security flaw represents a critical access control bypass vulnerability that exploits weaknesses in the OpenID Connect authentication flow implementation. The vulnerability stems from insufficient validation of authorization requests within the LemonLDAP configuration, creating a pathway for malicious actors to circumvent established security policies and gain unauthorized access to protected resources.
The technical implementation of this vulnerability occurs through a crafted OpenID Connect authorization request that manipulates the authentication flow to redirect users through a weaker access control rule set. When LemonLDAP::NG processes an OpenID Connect request, it fails to properly validate or filter the redirection URI parameter, allowing an attacker to craft a malicious request that targets a Relaying Party with less restrictive access controls. This misconfiguration creates a scenario where the system's security policies can be bypassed by leveraging the trust relationship between different components within the LemonLDAP configuration.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it can potentially enable attackers to escalate privileges or access sensitive data that should be protected by stronger access control mechanisms. The vulnerability is particularly concerning because it requires minimal effort to exploit and can affect organizations that rely on LemonLDAP::NG for identity management and access control. Attackers can leverage this weakness to gain access to resources that would normally be protected by more stringent security policies, effectively undermining the entire access control framework that LemonLDAP::NG is designed to provide.
Organizations utilizing LemonLDAP::NG versions 2.x through 2.0.5 should immediately implement mitigations including upgrading to patched versions of the software, implementing strict filtering on redirection URIs within OpenID Connect configurations, and reviewing all access control policies to ensure proper enforcement. The vulnerability aligns with CWE-284 Access Control Bypass and can be categorized under ATT&CK technique T1078 Valid Accounts, as it exploits legitimate authentication mechanisms to gain unauthorized access. Additionally, this vulnerability demonstrates weaknesses in the principle of least privilege and proper input validation within identity management systems, highlighting the importance of robust security controls in authentication flows and the necessity of comprehensive testing of access control mechanisms in complex identity management environments.