Miggo Logo

CVE-2020-24660: Lack of URL normalization may lead to authorization bypass when URL access rules are used

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.70597%
Published
9/9/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
lemonldap-ng-handlernpm< 0.5.20.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper URL normalization before access control checks. The commit diff shows the patched version replaced decodeURI() with normalize-url in the Handler.run method. The original decodeURI only performed partial decoding without handling path normalization, making the authorization checks vulnerable to bypass through alternative encodings and path traversal sequences. This function is directly responsible for processing incoming requests and applying access rules, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n ****ss rul*s *r* us** insi** * prot**t** *ost, som* URL *n*o*in*s m*y *yp*ss *ilt*rin* syst*m. ### P*t***s V*rsion *.*.* in*lu**s * p*t** t**t *ix*s t** vuln*r**ility ### Work*roun*s No w*y *or us*rs to *ix or r*m**i*t* t** vuln*r**

Reasoning

T** vuln*r**ility st*ms *rom improp*r URL norm*liz*tion ***or* ****ss *ontrol ****ks. T** *ommit *i** s*ows t** p*t**** v*rsion r*pl**** ***o**URI() wit* norm*liz*-url in t** **n*l*r.run m*t*o*. T** ori*in*l ***o**URI only p*r*orm** p*rti*l ***o*in*