VDB
CVE-2021-35473
CVE-2021-35473
PUBLISHED
An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4.
EPSS 0.15% · 35.5th percentile
Risk Scores
EPSS Score
0.15%
35.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | lemonldap-ng | 0, 2.0.7+ds-2, 2.0.6+ds-2 |
| Ubuntu:16.04:LTS | lemonldap-ng | 1.3.3-1, 0, 1.4.6-1 |
| Ubuntu:18.04:LTS | lemonldap-ng | 1.9.13-2, 0, 1.9.10-1 |
Exploit Intelligence
Timeline
- Nov 10, 2024 CVE Published
- Nov 10, 2024 PoC Published
- Nov 11, 2024 EPSS Score
- Nov 19, 2024 CVE Updated
- Nov 29, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
- Jan 4, 2025 EPSS Score
- Jan 22, 2025 EPSS Score
- Feb 9, 2025 EPSS Score
- Feb 27, 2025 EPSS Score
- Mar 16, 2025 EPSS Score
- Apr 3, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-35473 third-party-advisory
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-35473 third-party-advisory