LemonLDAP::NG 2.0.12 is out!

This release contains fixes for CVE-2021-35473 and CVE-2021-35472. Please read instructions below to upgrade your installation.



You are impacted only if you use OAuth2 Handler. Upgrading to 2.0.12 is enough. See also issue 2549.


When using 2FA system, a cache corruption can let an attacker obtain higher access or spoof a user identity. Updrading to 2.0.12 is enough. See also issue 2539.

TOTP management

Before 2.0.12, if TOTP secrets were displayed in second factor management screen, and if "Use 2FA for session upgrade" was enabled, an attacker who had stolen a user's password could register the existing TOTP on his own device an gain secured access. To avoid this, current TOTP secrets can never be displayed. If TOTP is lost, it must be renewed. Upgrading to 2.0.12 is enough. See also issue 2543.

XSS in HTML email templates

Before 2.0.12, XSS could happen when inserting bad value in register form. To avoid this, HTML email templates have been changed. Uprading to 2.0.12 is enough unless you have customized HTML email templates. In this case follow the upgrade notes. See also issue 2495.

URL validations

Some issues were found in URL validations, which could lead to untrusted redirection or CDA session steal. Uprading to 2.0.12 is enough. See also issue 2477 and issue 2535.

Read upgrade notes to check all needed actions


New features:

  • FindUser plugin: allow to search for an account, mainly used with impersonate plugin
  • CrowdSec plugin: provide a CrowdSec bouncer that can reject Crowdsec banned-IP requests or just provide an environment variable that can be used in another plugin rule
  • Timeout for 2FA registration can now be set to an higher value
  • New hooks for CAS issuer, OIDC issuer and password change
  • New option to allow to show password in login form
  • Support JWT as OAuth 2.0 Bearer Access Tokens

See full changelog: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/76



They made this release:

  • Core team: Maxime Besson, David Coutadeur, Xavier Guimard, Christophe Maudoux and Clément Oudot
  • Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, Douanes
  • Community (issues opening, tests, patches, pull requests) : Olivier Gouëllain, Alex Kelly, Marek Wójtowicz, Antoine Gallavardin, Xavier Bachelot, Paul Curie, Aurelien Tisne, Soisik Froger, Luca Olivetti, Ross Steiner, Albert Rinceau, Claude Loiseau, Andreas Deschka, Louis Chemineau, Daniel Berteaud, Andy Tan

If you use LemonLDAP::NG and enjoy it, please let us know: