Vulnerability Description
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lemonldap-Ng | Lemonldap\ | <= 2.0.8, \ |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2Third Party Advisory
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSThird Party Advisory
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290ExploitThird Party Advisory
- https://www.debian.org/security/2020/dsa-4762Third Party Advisory
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2Third Party Advisory
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSThird Party Advisory
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290ExploitThird Party Advisory
- https://www.debian.org/security/2020/dsa-4762Third Party Advisory
FAQ
What is CVE-2020-24660?
CVE-2020-24660 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also aff...
How severe is CVE-2020-24660?
CVE-2020-24660 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-24660?
Check the references section above for vendor advisories and patch information. Affected products include: Lemonldap-Ng Lemonldap\, Debian Debian Linux.