First published: Fri Jan 27 2023(Updated: )
In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/libapache-session-ldap-perl | <=0.4-1 | 0.4-1+deb10u1 0.5-1 |
ubuntu/libapache-session-ldap-perl | <0.5-1 | 0.5-1 |
ubuntu/libapache-session-ldap-perl | <0.4-1ubuntu0.18.04.1~ | 0.4-1ubuntu0.18.04.1~ |
ubuntu/libapache-session-ldap-perl | <0.4-1+ | 0.4-1+ |
ubuntu/libapache-session-ldap-perl | <0.4-1ubuntu0.16.04.1~ | 0.4-1ubuntu0.16.04.1~ |
LemonLDAP::NG Apache | <0.5 | |
Debian Linux | =10.0 | |
<0.5 | ||
=10.0 |
https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-36658 is classified as a moderate severity vulnerability.
To fix CVE-2020-36658, upgrade to libapache-session-ldap-perl version 0.5-1 or later.
Versions up to and including 0.4-1 of libapache-session-ldap-perl are affected by CVE-2020-36658.
Yes, CVE-2020-36658 involves a lack of default X.509 certificate validation when connecting to remote LDAP backends.
A possible workaround for CVE-2020-36658 is to manually configure the SSL settings to enforce certificate validation.