CVE-2020-24660 — Forced Browsing in Lemonldap-ng

CWE-425 — Forced Browsing CWE-287 — Improper Authentication5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 28.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Lemonldap-ng Lemonldap-ng Lemonldap Debian Linux

Timeline

PublishedSep 14

Description

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/lemonldap-ng< lemonldap-ng 2.0.9+ds-1 (bookworm)

▶NVDlemonldap-ng/lemonldap2.0.8+1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

CVE-2020-24660: An issue was discovered in LemonLDAP::NG through 2↗2020-09-14

▶

GHSA

Lack of URL normalization may lead to authorization bypass when URL access rules are used↗2020-09-09

▶

OSV

Lack of URL normalization may lead to authorization bypass when URL access rules are used↗2020-09-09

▶

📋Vendor Advisories

Debian

CVE-2020-24660: lemonldap-ng - An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An a...↗2020

▶