Описание
Lack of URL normalization may lead to authorization bypass when URL access rules are used
Impact
When access rules are used inside a protected host, some URL encodings may bypass filtering system.
Patches
Version 0.5.2 includes a patch that fixes the vulnerability
Workarounds
No way for users to fix or remediate the vulnerability without upgrading
References
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
For more information
If you have any questions or comments about this advisory:
- Open an issue in this repository or LemonLDAP::NG GitLab
- Email us at lemonldap-ng-users@ow2.org
Ссылки
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67
- https://nvd.nist.gov/vuln/detail/CVE-2020-24660
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/commit/136aa83ed431462fa42ce17b7f9b24e056de06be
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
- https://snyk.io/vuln/SNYK-JS-NODELEMONLDAPNGHANDLER-655999
- https://www.debian.org/security/2020/dsa-4762
- https://www.npmjs.com/package/lemonldap-ng-handler
Пакеты
lemonldap-ng-handler
< 0.5.2
0.5.2
Связанные уязвимости
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is ...
Уязвимость системы аутентификации для веб-приложений LemonLDAP::NG, связанная с ошибкой обработки ключей авторизации, позволяющая нарушителю получить несанкционированный доступ к информации