You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of writing, wekan-ldap disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set. Thus, by default, wekan-ldap is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.
Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having true as default for rejectUnauthorized.
The text was updated successfully, but these errors were encountered:
As of writing, wekan-ldap disables the SSL/TLS certificate validation for LDAP by default unless
LDAP_REJECT_UNAUTHORIZED=trueis explicitly set. Thus, by default, wekan-ldap is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having
trueas default forrejectUnauthorized.The text was updated successfully, but these errors were encountered: