CVE-2020-24660

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.

References

Affected packages

Git / github.com/lemonldapng/lemonldap-ng.js

Affected ranges

Type: GIT
Repo: https://github.com/lemonldapng/lemonldap-ng.js
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3ccfc6fb4c7a466778505a84e43f56e9f5574e06

Type

GIT

Repo

https://github.com/lemonldapng/node-lemonldap-ng-handler

Events

Introduced

Last affected

3ccfc6fb4c7a466778505a84e43f56e9f5574e06

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.2"
        }
    ]
}

Type

GIT

Repo

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

Events

Introduced

Last affected

062e236b9720205e4dd6d268c5a1b916fd177e85

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.8"
        }
    ]
}

Affected versions

0.*

0.1.2

0.1.3

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.5.0

0.5.2

Other

debian/buster

ubuntu/disco

ubuntu/eoan

ubuntu/focal

ubuntu/groovy

v0.*

v0.5.2

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-24660.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]