CVE-2020-24660
MEDIUM6.5EPSS 0.68%Lack of URL normalization may lead to authorization bypass when URL access rules are used
描述
### Impact When access rules are used inside a protected host, some URL encodings may bypass filtering system. ### Patches Version 0.5.2 includes a patch that fixes the vulnerability ### Workarounds No way for users to fix or remediate the vulnerability without upgrading ### References https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repository](https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/issues) or [LemonLDAP::NG GitLab](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues) * Email us at [[email protected]](mailto:[email protected])
受影響套件(4)
- Debian/lemonldap-ngfrom 0, < 2.0.9+ds-1
- Debian/lemonldap-ngfrom 0, < 1.9.7-3+deb9u4
- Debian/lemonldap-ngfrom 0, < 2.0.2+ds-7+deb10u5
- npm/lemonldap-ng-handlerfrom 0, < 0.5.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-24660
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-24660
- PATCHhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/commit/136aa83ed431462fa42ce17b7f9b24e056de06be
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
- WEBhttps://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67
- WEBhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
- WEBhttps://snyk.io/vuln/SNYK-JS-NODELEMONLDAPNGHANDLER-655999
- WEBhttps://www.debian.org/security/2020/dsa-4762
- WEBhttps://www.npmjs.com/package/lemonldap-ng-handler