{"id":"UBUNTU-CVE-2023-28862","details":"An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.","modified":"2025-10-24T05:01:54Z","published":"2023-03-31T17:15:00Z","upstream":["CVE-2023-28862"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-28862"},{"type":"REPORT","url":"https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/aadbb02471bf2a5effd7590708edb8a180f27948"},{"type":"REPORT","url":"https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/334"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-28862"}],"affected":[{"package":{"name":"lemonldap-ng","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/lemonldap-ng@1.4.6-3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.3-1","1.4.6-1","1.4.6-2","1.4.6-3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.4.6-3","binary_name":"lemonldap-ng"},{"binary_version":"1.4.6-3","binary_name":"liblemonldap-ng-common-perl"},{"binary_version":"1.4.6-3","binary_name":"liblemonldap-ng-conf-perl"},{"binary_version":"1.4.6-3","binary_name":"liblemonldap-ng-handler-perl"},{"binary_version":"1.4.6-3","binary_name":"liblemonldap-ng-manager-perl"},{"binary_version":"1.4.6-3","binary_name":"liblemonldap-ng-portal-perl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28862.json"}},{"package":{"name":"lemonldap-ng","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/lemonldap-ng@1.9.16-2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.10-1","1.9.13-2","1.9.14-1","1.9.15-1","1.9.16-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.9.16-2","binary_name":"lemonldap-ng"},{"binary_version":"1.9.16-2","binary_name":"lemonldap-ng-fastcgi-server"},{"binary_version":"1.9.16-2","binary_name":"lemonldap-ng-handler"},{"binary_version":"1.9.16-2","binary_name":"liblemonldap-ng-common-perl"},{"binary_version":"1.9.16-2","binary_name":"liblemonldap-ng-handler-perl"},{"binary_version":"1.9.16-2","binary_name":"liblemonldap-ng-manager-perl"},{"binary_version":"1.9.16-2","binary_name":"liblemonldap-ng-portal-perl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28862.json"}},{"package":{"name":"lemonldap-ng","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/lemonldap-ng@2.0.7+ds-2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.5+ds-2","2.0.6+ds-2","2.0.7+ds-2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.7+ds-2","binary_name":"lemonldap-ng"},{"binary_version":"2.0.7+ds-2","binary_name":"lemonldap-ng-fastcgi-server"},{"binary_version":"2.0.7+ds-2","binary_name":"lemonldap-ng-handler"},{"binary_version":"2.0.7+ds-2","binary_name":"lemonldap-ng-uwsgi-app"},{"binary_version":"2.0.7+ds-2","binary_name":"liblemonldap-ng-common-perl"},{"binary_version":"2.0.7+ds-2","binary_name":"liblemonldap-ng-handler-perl"},{"binary_version":"2.0.7+ds-2","binary_name":"liblemonldap-ng-manager-perl"},{"binary_version":"2.0.7+ds-2","binary_name":"liblemonldap-ng-portal-perl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28862.json"}},{"package":{"name":"lemonldap-ng","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/lemonldap-ng@2.0.13+ds-3ubuntu1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.0.11+ds-4","2.0.13+ds-3","2.0.13+ds-3ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"lemonldap-ng"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"lemonldap-ng-fastcgi-server"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"lemonldap-ng-handler"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"lemonldap-ng-uwsgi-app"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"liblemonldap-ng-common-perl"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"liblemonldap-ng-handler-perl"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"liblemonldap-ng-manager-perl"},{"binary_version":"2.0.13+ds-3ubuntu1","binary_name":"liblemonldap-ng-portal-perl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28862.json"}},{"package":{"name":"lemonldap-ng","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/lemonldap-ng@2.18.2+ds-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.16.2+ds-1","2.17.1+ds-1","2.17.2+ds-1","2.17.2+ds-2","2.18.1+ds-1","2.18.2+ds-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.18.2+ds-1","binary_name":"lemonldap-ng"},{"binary_version":"2.18.2+ds-1","binary_name":"lemonldap-ng-fastcgi-server"},{"binary_version":"2.18.2+ds-1","binary_name":"lemonldap-ng-handler"},{"binary_version":"2.18.2+ds-1","binary_name":"lemonldap-ng-uwsgi-app"},{"binary_version":"2.18.2+ds-1","binary_name":"liblemonldap-ng-common-perl"},{"binary_version":"2.18.2+ds-1","binary_name":"liblemonldap-ng-handler-perl"},{"binary_version":"2.18.2+ds-1","binary_name":"liblemonldap-ng-manager-perl"},{"binary_version":"2.18.2+ds-1","binary_name":"liblemonldap-ng-portal-perl"},{"binary_version":"2.18.2+ds-1","binary_name":"liblemonldap-ng-ssoaas-apache-client-perl"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28862.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}