CVE-2023-44469: 
Linux Debian vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the OpenID Connect Issuer component of LemonLDAP::NG versions before 2.17.1. The vulnerability, identified as CVE-2023-44469, was disclosed in September 2023 and is similar to CVE-2020-10770. This security flaw allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter (NVD).

The vulnerability exists in the OpenID Connect implementation where the request_uri parameter in the authorization URL can be manipulated to point to arbitrary URLs. The CVSS v3.1 base score is 4.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery) (NVD, GitLab Issue).

When exploited, this vulnerability allows an authenticated attacker to make the OpenID Provider interact with arbitrary servers under their control, potentially leading to SSRF attacks. This could enable attackers to probe internal networks and potentially access resources that should not be accessible from external networks (Security Blog).

The vulnerability has been fixed in LemonLDAP::NG version 2.17.1. For security reasons, the URI value of the request_uri parameter should be carefully validated at server-side, and a strict whitelist of allowed URI values should be defined during the OpenID client registration process (GitLab Issue, Debian Advisory).