| CVE | Vulnerability name | Date | Responsible Security Disclosure by | Vulnerabilities |
|---|---|---|---|---|
| CVE-2021-3309 | LDAPbleed |
2021-01-26 0:42 EET |
robert-scheck
Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure |
|
| Timeline | Details |
|---|---|
| 2021-01-26 0:42 EET |
Report received at public GitHub issue. robert-scheck wrote: As of writing, Wekan disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set.
Thus, by default, Wekan is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP.
I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments).
As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code),
I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.
Oh, and please note that Node.js itself has, according to its documentation,
a security-wise default by having true as default for rejectUnauthorized. |
| 2021-01-28 | Wekan v4.88 2021-01-28 released by xet7 with fix from robert-scheck. |