6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24660

GHSA ID

GHSA-x44x-r84w-8v67

EPSS Score

0.70597%

CWE

CWE-287

Published

9/9/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-24660

CVE-2020-24660: Lack of URL normalization may lead to authorization bypass when URL access rules are used

Impact

When access rules are used inside a protected host, some URL encodings may bypass filtering system.

Patches

Version 0.5.2 includes a patch that fixes the vulnerability

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290

For more information

If you have any questions or comments about this advisory:

Open an issue in this repository or LemonLDAP::NG GitLab
Email us at lemonldap-ng-users@ow2.org

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24660

GHSA ID

GHSA-x44x-r84w-8v67

EPSS Score

0.70597%

CWE

CWE-287

Published

9/9/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lemonldap-ng-handler	npm	< 0.5.2	0.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper URL normalization before access control checks. The commit diff shows the patched version replaced decodeURI() with normalize-url in the Handler.run method. The original decodeURI only performed partial decoding without handling path normalization, making the authorization checks vulnerable to bypass through alternative encodings and path traversal sequences. This function is directly responsible for processing incoming requests and applying access rules, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n ****ss rul*s *r* us** insi** * prot**t** *ost, som* URL *n*o*in*s m*y *yp*ss *ilt*rin* syst*m. ### P*t***s V*rsion *.*.* in*lu**s * p*t** t**t *ix*s t** vuln*r**ility ### Work*roun*s No w*y *or us*rs to *ix or r*m**i*t* t** vuln*r**

Reasoning

T** vuln*r**ility st*ms *rom improp*r URL norm*liz*tion ***or* ****ss *ontrol ****ks. T** *ommit *i** s*ows t** p*t**** v*rsion r*pl**** ***o**URI() wit* norm*liz*-url in t** **n*l*r.run m*t*o*. T** ori*in*l ***o**URI only p*r*orm** p*rti*l ***o*in*

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-24660: Lack of URL normalization may lead to authorization bypass when URL access rules are used

Impact

Patches

Workarounds

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI