New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: SSL/TLS certificate validation for LDAP disabled by default #3482
Comments
This was referenced Jan 25, 2021
|
Fixed at #3483 |
|
Wow, thank you for the quick review and merge! |
|
CVE-2021-3309 was assigned by MITRE a few minutes ago. |
|
And also a few minutes ago, added to CVE Hall of Fame https://wekan.github.io/hall-of-fame/ |
|
Thanks for helping with getting CVE numbers! I have not yet got CVE numbers for all of those at Wekan CVE HoF. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As of writing, Wekan disables the SSL/TLS certificate validation for LDAP by default unless
LDAP_REJECT_UNAUTHORIZED=trueis explicitly set. Thus, by default, Wekan is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having
trueas default forrejectUnauthorized.The text was updated successfully, but these errors were encountered: