CVE-2020-24660

Name of the Vulnerable Software and Affected Versions LemonLDAP::NG versions through 2.0.8 Lemonldap::NG handler for Node.js versions before 0.5.2

Description An issue in LemonLDAP::NG allows an attacker to bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This is related to errors in security mechanisms, which can allow a remote attacker to gain unauthorized access to information. When access rules are used inside a protected host, some URL encodings may bypass the filtering system.

Recommendations For LemonLDAP::NG versions through 2.0.8, update to a version that includes the patch for this issue. For Lemonldap::NG handler for Node.js versions before 0.5.2, update to version 0.5.2 or later, which includes a patch that fixes the vulnerability. As a temporary workaround, consider restricting access to protected Virtual Hosts until a patch is applied.