Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: SSL/TLS certificate validation for LDAP disabled by default #3482

Closed
robert-scheck opened this issue Jan 25, 2021 · 5 comments
Closed

Comments

@robert-scheck
Copy link
Contributor

As of writing, Wekan disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set. Thus, by default, Wekan is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.

Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having true as default for rejectUnauthorized.

@xet7
Copy link
Member

xet7 commented Jan 25, 2021

Fixed at #3483

@xet7 xet7 closed this as completed Jan 25, 2021
@robert-scheck
Copy link
Contributor Author

Wow, thank you for the quick review and merge!

@robert-scheck
Copy link
Contributor Author

CVE-2021-3309 was assigned by MITRE a few minutes ago.

@xet7
Copy link
Member

xet7 commented Feb 2, 2021

@robert-scheck

And also a few minutes ago, added to CVE Hall of Fame https://wekan.github.io/hall-of-fame/

@xet7
Copy link
Member

xet7 commented Feb 2, 2021

@robert-scheck

Thanks for helping with getting CVE numbers! I have not yet got CVE numbers for all of those at Wekan CVE HoF.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants