Skip to content

Lack of URL normalization may lead to authorization bypass when URL access rules are used

Moderate severity GitHub Reviewed Published Sep 9, 2020 in LemonLDAPNG/node-lemonldap-ng-handler • Updated Jan 9, 2023

Package

npm lemonldap-ng-handler (npm)

Affected versions

< 0.5.2

Patched versions

0.5.2

Description

Impact

When access rules are used inside a protected host, some URL encodings may bypass filtering system.

Patches

Version 0.5.2 includes a patch that fixes the vulnerability

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290

For more information

If you have any questions or comments about this advisory:

References

@guimard guimard published to LemonLDAPNG/node-lemonldap-ng-handler Sep 9, 2020
Reviewed Sep 9, 2020
Published to the GitHub Advisory Database Sep 9, 2020
Last updated Jan 9, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2020-24660

GHSA ID

GHSA-x44x-r84w-8v67

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.