Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / LDAPbleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
CVE-2021-3309 LDAPbleed

2021-01-26 0:42 EET robert-scheck

Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure
  • Security: SSL/TLS certificate validation for LDAP disabled by default
  • Affected Wekan v1.53.1-v4.87
  • Fixed at Wekan v4.88 2021-01-28

Timeline Details
2021-01-26 0:42 EET Report received at public GitHub issue.

robert-scheck wrote:

As of writing, Wekan disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set. Thus, by default, Wekan is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate. Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having true as default for rejectUnauthorized.
2021-01-28 Wekan v4.88 2021-01-28 released by xet7 with fix from robert-scheck.

Back to Hall of Fame Contents Back to Wekan Website