CVE-2021-35473

{"id": "CVE-2021-35473", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-11-10T23:15:04.383", "references": [{"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549", "source": "cve@mitre.org"}, {"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en LemonLDAP::NG antes de la versi\u00f3n 2.0.12. Falta una comprobaci\u00f3n de caducidad en el controlador OAuth2.0, es decir, no verifica la validez del token de acceso. Un atacante puede usar un token de acceso caducado de un cliente OIDC para acceder al controlador OAuth2. La primera versi\u00f3n afectada es la 2.0.4."}], "lastModified": "2024-11-19T20:35:13.347", "sourceIdentifier": "cve@mitre.org"}