| Name | CVE-2025-59518 |
| Description | In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| lemonldap-ng (PTS) | bullseye | 2.0.11+ds-4+deb11u5 | vulnerable |
| bullseye (security) | 2.0.11+ds-4+deb11u7 | vulnerable | |
| bookworm, bookworm (security) | 2.16.1+ds-deb12u6 | vulnerable | |
| trixie | 2.21.2+ds-1 | vulnerable | |
| forky, sid | 2.21.3+ds-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| lemonldap-ng | source | (unstable) | 2.21.3+ds-1 |
[trixie] - lemonldap-ng <no-dsa> (Minor issue)
[bookworm] - lemonldap-ng <no-dsa> (Minor issue)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3462
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3470
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/6e86f70be5499d09dfaaff307632be8a10f7e58f (v2.21.3)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/0c1ae1644bbddad34da2644228953babf137f64c (v2.21.3)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/228d01945d48015f3f9ea8a8dc64d7e6a27750e9 (v2.16.7)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/8b5ce4de7716f550d353f406b4867378c81aee7c (v2.16.7)