CVE-2020-24660

moderate-risk
Published 2020-09-14

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

Do I need to act?

-
0.68% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 3ccfc6fb4c7a466778505a84e43f56e9f5574e06
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Lemonldap\
Lemonldap\

Affected Vendors

Debian Lemonldap-Ng

References (8)

Third Party Advisory https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
Third Party Advisory https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHS...
Exploit https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
Third Party Advisory https://www.debian.org/security/2020/dsa-4762
Third Party Advisory https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2
Third Party Advisory https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHS...
Exploit https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
Third Party Advisory https://www.debian.org/security/2020/dsa-4762
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 9/34 · Low