An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the Lemonldap::NG handler for Node.js package.
Weakness
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lemonldap::ng | Lemonldap-ng | * | 2.0.8 (including) |
| Lemonldap::ng_handler | Lemonldap-ng | * | 0.5.2 (including) |
| Lemonldap-ng | Ubuntu | bionic | * |
| Lemonldap-ng | Ubuntu | focal | * |
| Lemonldap-ng | Ubuntu | groovy | * |
| Lemonldap-ng | Ubuntu | trusty | * |
| Lemonldap-ng | Ubuntu | upstream | * |
| Lemonldap-ng | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/127.html
- https://cwe.mitre.org/data/definitions/143.html
- https://cwe.mitre.org/data/definitions/144.html
- https://cwe.mitre.org/data/definitions/668.html
- https://cwe.mitre.org/data/definitions/87.html
References
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
- https://www.debian.org/security/2020/dsa-4762
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
- https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
- https://www.debian.org/security/2020/dsa-4762