[security][CVE-2024-45160] regression in OIDC client authentication allow empty client_secret to be accepted
Affected version
Version: 2.18.0
Summary
Starting with LemonLDAP::NG 2.18.0, using an empty client secret is accepted by LemonLDAP even if the RP is not configured as a public client
Logs
[Thu Aug 8 18:55:29 2024] [LLNG:1681482] [debug] URL detected as an OpenID Connect TOKEN URL
[Thu Aug 8 18:55:29 2024] [LLNG:1681482] [debug] Method none used
[Thu Aug 8 18:55:29 2024] [LLNG:1681482] [debug] Authentication method: none
Problem: "none" authentication method is accepted even if the client is not public. There was nothing in release notes about this.
First bad commit: 06d771cb
Edited by Maxime Besson