LDAP support for Wekan code has been moved to https://github.com/wekan/wekan/tree/master/packages/wekan-ldap , issues to https://github.com/wekan/wekan/issues , and if PRs are needed please add them instead to https://github.com/wekan/wekan/pulls
As of writing, wekan-ldap disables the SSL/TLS certificate validation for LDAP by default unless LDAP_REJECT_UNAUTHORIZED=true is explicitly set. Thus, by default, wekan-ldap is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.
Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having true as default for rejectUnauthorized.
As of writing, wekan-ldap disables the SSL/TLS certificate validation for LDAP by default unless
LDAP_REJECT_UNAUTHORIZED=trueis explicitly set. Thus, by default, wekan-ldap is effectively vulnerable to MITM attacks, even when using SSL/TLS for LDAP. I treat this default behaviour as bad, given that security shouldn't be opt-in but opt-out (e.g. for test-only environments). As this behaviour does not seem to be properly documented for system administrators (at least not outside of the source code), I would treat this as a vulnerability following CWE-295: Improper Certificate Validation and thus as a CVE-worthy candidate.Oh, and please note that Node.js itself has, according to its documentation, a security-wise default by having
trueas default forrejectUnauthorized.