CVE-2012-6426

high

Published 2013-01-01 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.5

Description

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2012-6426 NameCVE-2012-6426 DescriptionLemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search,…

CVE-2012-6426

Name	CVE-2012-6426
Description	LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	696329

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
lemonldap-ng (PTS)	bullseye	2.0.11+ds-4+deb11u5	fixed
	bullseye (security)	2.0.11+ds-4+deb11u8	fixed
	bookworm	2.16.1+ds-deb12u8	fixed
	bookworm (security)	2.16.1+ds-deb12u6	fixed
	trixie	2.21.2+ds-1+deb13u2	fixed
	forky	2.22.3+ds-1	fixed
	sid	2.23.0+ds-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
lemonldap-ng	source	squeeze	(not affected)
lemonldap-ng	source	wheezy	1.1.2-5+deb7u1
lemonldap-ng	source	(unstable)	1.2.2-3	696329

Notes

[squeeze] - lemonldap-ng <not-affected> (SAML code not present)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[squeeze] - lemonldap-ng <not-affected> (SAML code not present)

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.2.2-3`
sid	Fixed	`1.2.2-3`
forky	Fixed	`1.2.2-3`
bullseye	Fixed	`1.2.2-3`
bookworm	Fixed	`1.2.2-3`

Application impact

Vendor	Product	Versions	Fixed
lemonldap-ng	lemonldap\	`\`

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.