CVE-2020-24660

Description

### Impact When access rules are used inside a protected host, some URL encodings may bypass filtering system. ### Patches Version 0.5.2 includes a patch that fixes the vulnerability ### Workarounds No way for users to fix or remediate the vulnerability without upgrading ### References https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repository](https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/issues) or [LemonLDAP::NG GitLab](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues) * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2020-24660

To remediate CVE-2020-24660, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.9+ds-1 or later
• —upgrade to 1.9.7-3+deb9u4 or later
• —upgrade to 2.0.2+ds-7+deb10u5 or later
• —upgrade to 0.5.2 or later

Is CVE-2020-24660 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.0.9+ds-1
• from 0, < 1.9.7-3+deb9u4
• from 0, < 2.0.2+ds-7+deb10u5
• from 0, < 0.5.2

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-24660
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-24660
• PATCHgithub.com/LemonLDAPNG/node-lemonldap-ng-handler
• WEBgithub.com/LemonLDAPNG/node-lemonldap-ng-handler/commit/136aa83ed431462fa42ce17b7f9b24e056de06be