X.509 Certificate Validation Gap in Apache Session LDAP by LemonLDAP
CVE-2020-36658

8.1HIGH

Key Information:

Vendor: Lemonldap-ng
Status: Apache\
Vendor: CVE Published:; 27 January 2023

🔔 Create Lemonldap-ng Vulnerability Alert

What is CVE-2020-36658?

Apache::Session::LDAP versions prior to 0.5 lack proper validation of X.509 certificates when establishing connections to remote LDAP servers. This issue stems from the default configuration of the Net::LDAPS module used in Perl applications, which does not enforce certificate checks. Consequently, attackers may exploit this oversight to conduct man-in-the-middle attacks or impersonate legitimate LDAP services. To mitigate the risk, it is crucial to implement necessary patches or adjustments in conjunction with associated fixes such as those from CVE-2020-16093.

References

https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit...

https://lists.debian.org/debian-lts-announce/2023/01/msg0...

mailing-list

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 27, 2023
Vulnerability Reserved
Jan 27, 2023

CVE-2020-36658 Data

JSON