In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Lemonldap::ng | Lemonldap-ng | * | 2.0.7 (excluding) |