CVE-2020-24660
MEDIUM6.5EPSS 0.68%Lack of URL normalization may lead to authorization bypass when URL access rules are used
Published: 9/9/2020Modified: 4/28/2026
Description
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
Affected packages (4)
- Debian/lemonldap-ngfrom 0, < 2.0.9+ds-1
- Debian/lemonldap-ngfrom 0, < 1.9.7-3+deb9u4
- Debian/lemonldap-ngfrom 0, < 2.0.2+ds-7+deb10u5
- npm/lemonldap-ng-handlerfrom 0, < 0.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-24660
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-24660
- PATCHhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/commit/136aa83ed431462fa42ce17b7f9b24e056de06be
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67
- WEBhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
- WEBhttps://snyk.io/vuln/SNYK-JS-NODELEMONLDAPNGHANDLER-655999
- WEBhttps://www.debian.org/security/2020/dsa-4762
- WEBhttps://www.npmjs.com/package/lemonldap-ng-handler