CVE-2024-45160 is a security vulnerability identified in LemonLDAP::NG, an open-source web single sign-on (SSO) and access management system widely used for authentication and authorization services. The flaw exists in versions 2.18.x and 2.19.x before 2.19.2, where the OAuth2 client authentication mechanism incorrectly validates credentials. Specifically, the system accepts an empty client_password (client secret) parameter, allowing attackers to bypass the OAuth2 client authentication process entirely. This means an attacker can impersonate a legitimate OAuth2 client without possessing the required secret, gaining unauthorized access to protected resources. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to properly enforce authentication controls. The CVSS v3.1 base score is 9.1 (critical), with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), but no impact on availability (A:N). Although no exploits have been reported in the wild yet, the ease of exploitation and critical impact make this vulnerability highly dangerous. LemonLDAP::NG is often deployed in enterprise and government environments to manage access to web applications, making this vulnerability a significant risk for unauthorized data access and potential privilege escalation.

The vulnerability allows attackers to bypass OAuth2 client authentication, leading to unauthorized access to sensitive systems and data. This can compromise confidentiality by exposing protected information and integrity by enabling attackers to act as legitimate clients, potentially manipulating or accessing resources without authorization. Since the flaw does not require privileges or user interaction, it can be exploited remotely and easily, increasing the attack surface. Organizations relying on LemonLDAP::NG for authentication in critical infrastructure, government, or enterprise environments face risks of data breaches, unauthorized system access, and potential lateral movement within networks. The absence of availability impact means systems remain operational but compromised. The critical severity and network exploitability elevate the urgency for mitigation to prevent potential large-scale breaches or espionage activities.

1. Immediately upgrade LemonLDAP::NG to version 2.19.2 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, implement strict network-level access controls to restrict access to the LemonLDAP::NG OAuth2 endpoints only to trusted clients and IP addresses. 3. Monitor authentication logs for unusual OAuth2 client authentication attempts, especially those with empty or missing client_password parameters. 4. Employ additional multi-factor authentication (MFA) mechanisms on top of OAuth2 client authentication to reduce the risk of unauthorized access. 5. Conduct a thorough audit of all OAuth2 clients registered in LemonLDAP::NG to ensure no unauthorized clients exist. 6. Review and tighten OAuth2 client secret management policies to prevent weak or empty secrets. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block requests missing client_password parameters. 8. Educate security teams about this vulnerability to ensure rapid detection and response to potential exploitation attempts.