Security: SSL/TLS certificate validation for LDAP disabled by default #89

robert-scheck · 2021-01-25T18:57:26Z

As of writing, wekan-ldap disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set. Thus, by default, wekan-ldap is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.

Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having true as default for rejectUnauthorized.

The text was updated successfully, but these errors were encountered:

This was referenced Jan 25, 2021

Reject by default LDAP connections not authorized via CA trust store #90

Merged

Unable to pass trusted root CA certificate via LDAP_CA_CERT #91

Open

wekan-ldap vs. packages/wekan-ldap wekan/wekan#3480

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: SSL/TLS certificate validation for LDAP disabled by default #89

Security: SSL/TLS certificate validation for LDAP disabled by default #89

robert-scheck commented Jan 25, 2021

Security: SSL/TLS certificate validation for LDAP disabled by default #89

Security: SSL/TLS certificate validation for LDAP disabled by default #89

Comments

robert-scheck commented Jan 25, 2021