-------------------------------------------------------------------------
Debian LTS Advisory DLA-3285-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
January 28, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libapache-session-browseable-perl
Version : 1.3.0-1+deb10u1
CVE ID : CVE-2020-36659
In Apache::Session::Browseable before 1.3.6, validity of the X.509
certificate is not checked by default when connecting to remote LDAP
backends, because the default configuration of the Net::LDAPS module for
Perl is used.
This update changes the default behavior to require X.509 validation
against the distribution bundle /etc/ssl/certs/ca-certificates.crt.
Previous behavior can reverted by setting `ldapVerify => "none"` when
initializing the Apache::Session::Browseable::LDAP object.
NOTE: this update is a prerequisite for LemonLDAP::NG's CVE-2020-16093
fix when its session backend is set to Apache::Session::Browseable::LDAP.
For Debian 10 buster, this problem has been fixed in version
1.3.0-1+deb10u1.
We recommend that you upgrade your libapache-session-browseable-perl packages.
For the detailed security status of libapache-session-browseable-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache-session-browseable-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
{"id": "DEBIAN:DLA-3285-1:0AB7F", "vendorId": null, "type": "debian", "bulletinFamily": "unix", "title": "[SECURITY] [DLA 3285-1] libapache-session-browseable-perl security update", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-3285-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Guilhem Moulin\nJanuary 28, 2023 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : libapache-session-browseable-perl\nVersion : 1.3.0-1+deb10u1\nCVE ID : CVE-2020-36659\n\nIn Apache::Session::Browseable before 1.3.6, validity of the X.509\ncertificate is not checked by default when connecting to remote LDAP\nbackends, because the default configuration of the Net::LDAPS module for\nPerl is used.\n\nThis update changes the default behavior to require X.509 validation\nagainst the distribution bundle /etc/ssl/certs/ca-certificates.crt.\nPrevious behavior can reverted by setting `ldapVerify => "none"` when\ninitializing the Apache::Session::Browseable::LDAP object.\n\nNOTE: this update is a prerequisite for LemonLDAP::NG's CVE-2020-16093\nfix when its session backend is set to Apache::Session::Browseable::LDAP.\n\nFor Debian 10 buster, this problem has been fixed in version\n1.3.0-1+deb10u1.\n\nWe recommend that you upgrade your libapache-session-browseable-perl packages.\n\nFor the detailed security status of libapache-session-browseable-perl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/libapache-session-browseable-perl\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "published": "2023-01-28T12:07:51", "modified": "2023-01-28T12:07:51", "epss": [{"cve": "CVE-2020-16093", "epss": 0.00051, "percentile": 0.17636, "modified": "2023-06-06"}, {"cve": "CVE-2020-36659", "epss": 0.00061, "percentile": 0.24139, "modified": "2023-06-06"}], "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 5.1}, "severity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://lists.debian.org/debian-lts-announce/2023/01/msg00025.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "immutableFields": [], "lastseen": "2023-06-06T15:05:46", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-16093", "CVE-2020-36658", "CVE-2020-36659"]}, {"type": "debian", "idList": ["DEBIAN:DLA-3284-1:A1D31", "DEBIAN:DLA-3287-1:853DF"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-16093", "DEBIANCVE:CVE-2020-36658", "DEBIANCVE:CVE-2020-36659"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-3284.NASL", "DEBIAN_DLA-3285.NASL", "DEBIAN_DLA-3287.NASL"]}, {"type": "osv", "idList": ["OSV:DLA-3284-1", "OSV:DLA-3285-1", "OSV:DLA-3287-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-16093", "UB:CVE-2020-36658", "UB:CVE-2020-36659"]}, {"type": "veracode", "idList": ["VERACODE:39223"]}]}, "score": {"value": 0.9, "vector": "NONE"}, "epss": [{"cve": "CVE-2020-16093", "epss": 0.00051, "percentile": 0.177, "modified": "2023-05-01"}, {"cve": "CVE-2020-36659", "epss": 0.00061, "percentile": 0.24052, "modified": "2023-05-02"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1686093171, "score": 1686064018, "epss": 0}, "_internal": {"score_hash": "a4e0ea954a8b375192227af47408f2fe"}, "affectedPackage": [{"operator": "lt", "packageFilename": "lemonldap-ng-fastcgi-server_2.0.2+ds-7+deb10u8_all.deb", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageName": "lemonldap-ng-fastcgi-server"}, {"operator": "lt", "OSVersion": "10", "packageFilename": "libapache-session-browseable-perl_1.3.0-1+deb10u1_all.deb", "packageVersion": "1.3.0-1+deb10u1", "OS": "Debian", "arch": "all", "packageName": "libapache-session-browseable-perl"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageFilename": "lemonldap-ng-doc_2.0.2+ds-7+deb10u8_all.deb", "packageName": "lemonldap-ng-doc"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageFilename": "lemonldap-ng-handler_2.0.2+ds-7+deb10u8_all.deb", "packageName": "lemonldap-ng-handler"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageFilename": "liblemonldap-ng-portal-perl_2.0.2+ds-7+deb10u8_all.deb", "packageName": "liblemonldap-ng-portal-perl"}, {"operator": "lt", "OSVersion": "10", "packageFilename": "lemonldap-ng-uwsgi-app_2.0.2+ds-7+deb10u8_all.deb", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageName": "lemonldap-ng-uwsgi-app"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "packageFilename": "lemonldap-ng_2.0.2+ds-7+deb10u8_all.deb", "OS": "Debian", "arch": "all", "packageName": "lemonldap-ng"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "packageFilename": "liblemonldap-ng-common-perl_2.0.2+ds-7+deb10u8_all.deb", "OS": "Debian", "arch": "all", "packageName": "liblemonldap-ng-common-perl"}, {"operator": "lt", "OSVersion": "10", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageFilename": "liblemonldap-ng-handler-perl_2.0.2+ds-7+deb10u8_all.deb", "packageName": "liblemonldap-ng-handler-perl"}, {"operator": "lt", "OSVersion": "10", "packageFilename": "liblemonldap-ng-manager-perl_2.0.2+ds-7+deb10u8_all.deb", "packageVersion": "2.0.2+ds-7+deb10u8", "OS": "Debian", "arch": "all", "packageName": "liblemonldap-ng-manager-perl"}]}
{"osv": [{"lastseen": "2023-01-30T18:49:50", "description": "\nIn Apache::Session::Browseable before 1.3.6, validity of the X.509\ncertificate is not checked by default when connecting to remote LDAP\nbackends, because the default configuration of the Net::LDAPS module for\nPerl is used.\n\n\nThis update changes the default behavior to require X.509 validation\nagainst the distribution bundle `/etc/ssl/certs/ca-certificates.crt`.\nPrevious behavior can reverted by setting `ldapVerify => \"none\"` when\ninitializing the Apache::Session::Browseable::LDAP object.\n**Note**: this update is a prerequisite for LemonLDAP::NG's [CVE-2020-16093](https://security-tracker.debian.org/tracker/CVE-2020-16093)\nfix when its session backend is set to Apache::Session::Browseable::LDAP.\n\n\nFor Debian 10 buster, this problem has been fixed in version\n1.3.0-1+deb10u1.\n\n\nWe recommend that you upgrade your libapache-session-browseable-perl packages.\n\n\nFor the detailed security status of libapache-session-browseable-perl please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/libapache-session-browseable-perl>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-28T00:00:00", "type": "osv", "title": "libapache-session-browseable-perl - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "modified": "2023-01-30T18:49:48", "id": "OSV:DLA-3285-1", "href": "https://osv.dev/vulnerability/DLA-3285-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-28T22:34:52", "description": "\nTwo vulnerabilities were found in lemonldap-ng, an OpenID-Connect, CAS\nand SAML compatible Web-SSO system, that could result in information\ndisclosure or impersonation.\n\n\n* [CVE-2020-16093](https://security-tracker.debian.org/tracker/CVE-2020-16093)\nMaxime Besson discovered that LemonLDAP::NG before 2.0.9 did not\n check validity of the X.509 certificate by default when connecting\n to remote LDAP backends, because the default configuration of the\n Net::LDAPS module for Perl is used.\n\n\nThis update changes the default behavior to require X.509 validation\n against the distribution bundle `/etc/ssl/certs/ca-certificates.crt`.\n Previous behavior can reverted by running\n `/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none`.\n\n\nIf a session backend is set to Apache::Session::LDAP or\n Apache::Session::Browseable::LDAP, then the complete fix involves\n upgrading the corresponding Apache::Session module\n (libapache-session-ldap-perl resp. libapache-session-browseable-perl)\n to 0.4-1+deb10u1 (or \u00e2\u0089\u013d0.5) resp. 1.3.0-1+deb10u1 (or \u00e2\u0089\u013d1.3.8). See\n related advisories [DLA-3284-1](dla-3284) and\n [DLA-3285-1](dla-3285) for details.\n* [CVE-2022-37186](https://security-tracker.debian.org/tracker/CVE-2022-37186)\nMickael Bride discovered that under certain conditions the session\n remained valid on handlers after being destroyed on portal.\n\n\nFor Debian 10 buster, these problems have been fixed in version\n2.0.2+ds-7+deb10u8.\n\n\nWe recommend that you upgrade your lemonldap-ng packages.\n\n\nFor the detailed security status of lemonldap-ng please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/lemonldap-ng>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-28T00:00:00", "type": "osv", "title": "lemonldap-ng - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2022-37186"], "modified": "2023-01-28T22:34:51", "id": "OSV:DLA-3287-1", "href": "https://osv.dev/vulnerability/DLA-3287-1", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-30T17:49:55", "description": "\nIn Apache::Session::LDAP before 0.5, validity of the X.509 certificate\nis not checked by default when connecting to remote LDAP backends,\nbecause the default configuration of the Net::LDAPS module for Perl is\nused.\n\n\nThis update changes the default behavior to require X.509 validation\nagainst the distribution bundle `/etc/ssl/certs/ca-certificates.crt`.\nPrevious behavior can reverted by setting `ldapVerify => \"none\"` when\ninitializing the Apache::Session::LDAP object.\n**Note**: this update is a prerequisite for LemonLDAP::NG's [CVE-2020-16093](https://security-tracker.debian.org/tracker/CVE-2020-16093)\nfix when its session backend is set to Apache::Session::LDAP.\n\n\nFor Debian 10 buster, this problem has been fixed in version\n0.4-1+deb10u1.\n\n\nWe recommend that you upgrade your libapache-session-ldap-perl packages.\n\n\nFor the detailed security status of libapache-session-ldap-perl please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/libapache-session-ldap-perl>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-28T00:00:00", "type": "osv", "title": "libapache-session-ldap-perl - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-01-30T17:49:53", "id": "OSV:DLA-3284-1", "href": "https://osv.dev/vulnerability/DLA-3284-1", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-17T16:41:21", "description": "The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3285 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. (CVE-2020-16093)\n\n - In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n (CVE-2020-36659)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-31T00:00:00", "type": "nessus", "title": "Debian DLA-3285-1 : libapache-session-browseable-perl - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "modified": "2023-02-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libapache-session-browseable-perl", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DLA-3285.NASL", "href": "https://www.tenable.com/plugins/nessus/170889", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-3285. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170889);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/07\");\n\n script_cve_id(\"CVE-2020-16093\", \"CVE-2020-36659\");\n\n script_name(english:\"Debian DLA-3285-1 : libapache-session-browseable-perl - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the\ndla-3285 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by\n default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS\n module for Perl is used. (CVE-2020-16093)\n\n - In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default\n when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for\n Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.\n (CVE-2020-36659)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://security-tracker.debian.org/tracker/source-package/libapache-session-browseable-perl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c4ea425\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2023/dla-3285\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-16093\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-36659\");\n # https://packages.debian.org/source/buster/libapache-session-browseable-perl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e0ecabc9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the libapache-session-browseable-perl packages.\n\nFor Debian 10 buster, this problem has been fixed in version 1.3.0-1+deb10u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16093\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-36659\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache-session-browseable-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(10)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'libapache-session-browseable-perl', 'reference': '1.3.0-1+deb10u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libapache-session-browseable-perl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:41:18", "description": "The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3287 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. (CVE-2020-16093)\n\n - In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.\n (CVE-2022-37186)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-28T00:00:00", "type": "nessus", "title": "Debian DLA-3287-1 : lemonldap-ng - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2022-37186"], "modified": "2023-04-17T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:lemonldap-ng", "p-cpe:/a:debian:debian_linux:lemonldap-ng-doc", "p-cpe:/a:debian:debian_linux:lemonldap-ng-fastcgi-server", "p-cpe:/a:debian:debian_linux:lemonldap-ng-handler", "p-cpe:/a:debian:debian_linux:lemonldap-ng-uwsgi-app", "p-cpe:/a:debian:debian_linux:liblemonldap-ng-common-perl", "p-cpe:/a:debian:debian_linux:liblemonldap-ng-handler-perl", "p-cpe:/a:debian:debian_linux:liblemonldap-ng-manager-perl", "p-cpe:/a:debian:debian_linux:liblemonldap-ng-portal-perl", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DLA-3287.NASL", "href": "https://www.tenable.com/plugins/nessus/170758", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-3287. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170758);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/17\");\n\n script_cve_id(\"CVE-2020-16093\", \"CVE-2022-37186\");\n\n script_name(english:\"Debian DLA-3287-1 : lemonldap-ng - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndla-3287 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by\n default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS\n module for Perl is used. (CVE-2020-16093)\n\n - In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted\n according to the timeoutActivity setting. This can occur when there are at least two servers, and a\n session is manually removed before the time at which it would have been removed automatically.\n (CVE-2022-37186)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://security-tracker.debian.org/tracker/source-package/lemonldap-ng\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9f8cb51e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2023/dla-3287\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-16093\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-37186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/lemonldap-ng\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the lemonldap-ng packages.\n\nFor Debian 10 buster, these problems have been fixed in version 2.0.2+ds-7+deb10u8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16093\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lemonldap-ng\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lemonldap-ng-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lemonldap-ng-fastcgi-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lemonldap-ng-handler\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:lemonldap-ng-uwsgi-app\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:liblemonldap-ng-common-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:liblemonldap-ng-handler-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:liblemonldap-ng-manager-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:liblemonldap-ng-portal-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(10)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'lemonldap-ng', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'lemonldap-ng-doc', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'lemonldap-ng-fastcgi-server', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'lemonldap-ng-handler', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'lemonldap-ng-uwsgi-app', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'liblemonldap-ng-common-perl', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'liblemonldap-ng-handler-perl', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'liblemonldap-ng-manager-perl', 'reference': '2.0.2+ds-7+deb10u8'},\n {'release': '10.0', 'prefix': 'liblemonldap-ng-portal-perl', 'reference': '2.0.2+ds-7+deb10u8'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'lemonldap-ng / lemonldap-ng-doc / lemonldap-ng-fastcgi-server / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:42:16", "description": "The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3284 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. (CVE-2020-16093)\n\n - In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix. (CVE-2020-36658)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-01-31T00:00:00", "type": "nessus", "title": "Debian DLA-3284-1 : libapache-session-ldap-perl - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-02-07T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libapache-session-ldap-perl", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DLA-3284.NASL", "href": "https://www.tenable.com/plugins/nessus/170887", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-3284. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170887);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/07\");\n\n script_cve_id(\"CVE-2020-16093\", \"CVE-2020-36658\");\n\n script_name(english:\"Debian DLA-3284-1 : libapache-session-ldap-perl - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the\ndla-3284 advisory.\n\n - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by\n default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS\n module for Perl is used. (CVE-2020-16093)\n\n - In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when\n connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is\n used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix. (CVE-2020-36658)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://security-tracker.debian.org/tracker/source-package/libapache-session-ldap-perl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?94256a70\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2023/dla-3284\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-16093\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-36658\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/libapache-session-ldap-perl\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the libapache-session-ldap-perl packages.\n\nFor Debian 10 buster, this problem has been fixed in version 0.4-1+deb10u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-16093\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-36658\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libapache-session-ldap-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(10)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'libapache-session-ldap-perl', 'reference': '0.4-1+deb10u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libapache-session-ldap-perl');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "debiancve": [{"lastseen": "2023-06-06T14:55:57", "description": "In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T05:15:00", "type": "debiancve", "title": "CVE-2020-36659", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "modified": "2023-01-27T05:15:00", "id": "DEBIANCVE:CVE-2020-36659", "href": "https://security-tracker.debian.org/tracker/CVE-2020-36659", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T14:55:56", "description": "In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-18T00:15:00", "type": "debiancve", "title": "CVE-2020-16093", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093"], "modified": "2022-07-18T00:15:00", "id": "DEBIANCVE:CVE-2020-16093", "href": "https://security-tracker.debian.org/tracker/CVE-2020-16093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T14:55:57", "description": "In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T05:15:00", "type": "debiancve", "title": "CVE-2020-36658", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-01-27T05:15:00", "id": "DEBIANCVE:CVE-2020-36658", "href": "https://security-tracker.debian.org/tracker/CVE-2020-36658", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-06T14:51:50", "description": "In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T05:15:00", "type": "cve", "title": "CVE-2020-36659", "cwe": ["CWE-295"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "modified": "2023-02-06T19:54:00", "cpe": ["cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-36659", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36659", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:28:37", "description": "In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-18T00:15:00", "type": "cve", "title": "CVE-2020-16093", "cwe": ["CWE-295"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093"], "modified": "2023-02-28T18:29:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/a:lemonldap-ng:lemonldap\\:2.0.8"], "id": "CVE-2020-16093", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:lemonldap-ng:lemonldap\\:2.0.8:ng:*:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:51:50", "description": "In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T05:15:00", "type": "cve", "title": "CVE-2020-36658", "cwe": ["CWE-295"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-02-06T19:50:00", "cpe": ["cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-36658", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36658", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-06-07T13:25:12", "description": "In Apache::Session::Browseable before 1.3.6, validity of the X.509\ncertificate is not checked by default when connecting to remote LDAP\nbackends, because the default configuration of the Net::LDAPS module for\nPerl is used. NOTE: this can, for example, be fixed in conjunction with the\nCVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T00:00:00", "type": "ubuntucve", "title": "CVE-2020-36659", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36659"], "modified": "2023-01-27T00:00:00", "id": "UB:CVE-2020-36659", "href": "https://ubuntu.com/security/CVE-2020-36659", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T13:33:09", "description": "In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509\ncertificate is not checked by default when connecting to remote LDAP\nbackends, because the default configuration of the Net::LDAPS module for\nPerl is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-18T00:00:00", "type": "ubuntucve", "title": "CVE-2020-16093", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093"], "modified": "2022-07-18T00:00:00", "id": "UB:CVE-2020-16093", "href": "https://ubuntu.com/security/CVE-2020-16093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-07T13:25:13", "description": "In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is\nnot checked by default when connecting to remote LDAP backends, because the\ndefault configuration of the Net::LDAPS module for Perl is used. NOTE: this\ncan, for example, be fixed in conjunction with the CVE-2020-16093 fix.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-27T00:00:00", "type": "ubuntucve", "title": "CVE-2020-36658", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-01-27T00:00:00", "id": "UB:CVE-2020-36658", "href": "https://ubuntu.com/security/CVE-2020-36658", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-06-06T19:46:55", "description": "lemonldap-ng is vulnerable to Improper Certificate Validation. X.509 certificate by default is not validated when connecting to remote LDAP backends which allows an attacker to bypass the certification validation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-12T04:41:45", "type": "veracode", "title": "Improper Certificate Validation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093"], "modified": "2023-02-28T19:56:32", "id": "VERACODE:39223", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39223/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2023-06-06T15:05:44", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-3284-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Guilhem Moulin\nJanuary 28, 2023 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : libapache-session-ldap-perl\nVersion : 0.4-1+deb10u1\nCVE ID : CVE-2020-36658\n\nIn Apache::Session::LDAP before 0.5, validity of the X.509 certificate\nis not checked by default when connecting to remote LDAP backends,\nbecause the default configuration of the Net::LDAPS module for Perl is\nused.\n\nThis update changes the default behavior to require X.509 validation\nagainst the distribution bundle /etc/ssl/certs/ca-certificates.crt.\nPrevious behavior can reverted by setting `ldapVerify => "none"` when\ninitializing the Apache::Session::LDAP object.\n\nNOTE: this update is a prerequisite for LemonLDAP::NG's CVE-2020-16093\nfix when its session backend is set to Apache::Session::LDAP.\n\nFor Debian 10 buster, this problem has been fixed in version\n0.4-1+deb10u1.\n\nWe recommend that you upgrade your libapache-session-ldap-perl packages.\n\nFor the detailed security status of libapache-session-ldap-perl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/libapache-session-ldap-perl\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-28T12:07:29", "type": "debian", "title": "[SECURITY] [DLA 3284-1] libapache-session-ldap-perl security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2020-36658"], "modified": "2023-01-28T12:07:29", "id": "DEBIAN:DLA-3284-1:A1D31", "href": "https://lists.debian.org/debian-lts-announce/2023/01/msg00024.html", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:05:43", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-3287-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Guilhem Moulin\nJanuary 28, 2023 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : lemonldap-ng\nVersion : 2.0.2+ds-7+deb10u8\nCVE ID : CVE-2020-16093 CVE-2022-37186\n\nTwo vulnerabilities were found in lemonldap-ng, an OpenID-Connect, CAS\nand SAML compatible Web-SSO system, that could result in information\ndisclosure or impersonation.\n\nCVE-2020-16093\n\n Maxime Besson discovered that LemonLDAP::NG before 2.0.9 did not\n check validity of the X.509 certificate by default when connecting\n to remote LDAP backends, because the default configuration of the\n Net::LDAPS module for Perl is used.\n\n This update changes the default behavior to require X.509 validation\n against the distribution bundle /etc/ssl/certs/ca-certificates.crt.\n Previous behavior can reverted by running\n `/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none`.\n\n If a session backend is set to Apache::Session::LDAP or\n Apache::Session::Browseable::LDAP, then the complete fix involves\n upgrading the corresponding Apache::Session module\n (libapache-session-ldap-perl resp. libapache-session-browseable-perl)\n to 0.4-1+deb10u1 (or \u22650.5) resp. 1.3.0-1+deb10u1 (or \u22651.3.8). See\n related advisories DLA-3284-1 and DLA-3285-1 for details.\n\nCVE-2022-37186\n\n Mickael Bride discovered that under certain conditions the session\n remained valid on handlers after being destroyed on portal.\n\nFor Debian 10 buster, these problems have been fixed in version\n2.0.2+ds-7+deb10u8.\n\nWe recommend that you upgrade your lemonldap-ng packages.\n\nFor the detailed security status of lemonldap-ng please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/lemonldap-ng\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-28T15:38:58", "type": "debian", "title": "[SECURITY] [DLA 3287-1] lemonldap-ng security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-16093", "CVE-2022-37186"], "modified": "2023-01-28T15:38:58", "id": "DEBIAN:DLA-3287-1:853DF", "href": "https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
[SECURITY] [DLA 3285-1] libapache-session-browseable-perl security update
