An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
{ "binaries": [ { "binary_name": "lemonldap-ng", "binary_version": "1.4.6-3" }, { "binary_name": "liblemonldap-ng-common-perl", "binary_version": "1.4.6-3" }, { "binary_name": "liblemonldap-ng-conf-perl", "binary_version": "1.4.6-3" }, { "binary_name": "liblemonldap-ng-handler-perl", "binary_version": "1.4.6-3" }, { "binary_name": "liblemonldap-ng-manager-perl", "binary_version": "1.4.6-3" }, { "binary_name": "liblemonldap-ng-portal-perl", "binary_version": "1.4.6-3" } ] }
{ "binaries": [ { "binary_name": "lemonldap-ng", "binary_version": "1.9.16-2" }, { "binary_name": "lemonldap-ng-fastcgi-server", "binary_version": "1.9.16-2" }, { "binary_name": "lemonldap-ng-handler", "binary_version": "1.9.16-2" }, { "binary_name": "liblemonldap-ng-common-perl", "binary_version": "1.9.16-2" }, { "binary_name": "liblemonldap-ng-handler-perl", "binary_version": "1.9.16-2" }, { "binary_name": "liblemonldap-ng-manager-perl", "binary_version": "1.9.16-2" }, { "binary_name": "liblemonldap-ng-portal-perl", "binary_version": "1.9.16-2" } ] }
{ "binaries": [ { "binary_name": "lemonldap-ng", "binary_version": "2.0.7+ds-2" }, { "binary_name": "lemonldap-ng-fastcgi-server", "binary_version": "2.0.7+ds-2" }, { "binary_name": "lemonldap-ng-handler", "binary_version": "2.0.7+ds-2" }, { "binary_name": "lemonldap-ng-uwsgi-app", "binary_version": "2.0.7+ds-2" }, { "binary_name": "liblemonldap-ng-common-perl", "binary_version": "2.0.7+ds-2" }, { "binary_name": "liblemonldap-ng-handler-perl", "binary_version": "2.0.7+ds-2" }, { "binary_name": "liblemonldap-ng-manager-perl", "binary_version": "2.0.7+ds-2" }, { "binary_name": "liblemonldap-ng-portal-perl", "binary_version": "2.0.7+ds-2" } ] }