CVE-2020-36659 - OpenCVE

In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Lemonldap-ng	Apache\
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:lemonldap-ng:apache\:\:session\:\:browsable:*:*:*:*:*:perl:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-27T00:00:00

Updated: 2023-01-28T00:00:00

Reserved: 2023-01-27T00:00:00

Link: CVE-2020-36659

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-01-27T05:15:17.380

Modified: 2023-02-06T19:54:14.700

Link: CVE-2020-36659

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lemonldap-ng:apache\\:\\:session\\:\\:browsable:*:*:*:*:*:perl:*:*", "matchCriteriaId": "867DE619-B303-4A79-9060-0BBF0A01A899", "versionEndExcluding": "1.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix."}, {"lang": "es", "value": "En Apache::Session::Browseable anterior a 1.3.6, la validez del certificado X.509 no se verifica de forma predeterminada cuando se conecta a backends LDAP remotos, porque se usa la configuraci\u00f3n predeterminada del m\u00f3dulo Net::LDAPS para Perl. NOTA: esto se puede solucionar, por ejemplo, junto con la correcci\u00f3n CVE-2020-16093."}], "id": "CVE-2020-36659", "lastModified": "2023-02-06T19:54:14.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-27T05:15:17.380", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}