-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of https://github.com/Evolveum/docs
- Loading branch information
Showing
7 changed files
with
116 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
docs/security/advisories/015-disabled-users-able-to-log-in-with-ldap.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
= Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled | ||
:page-display-order: 15 | ||
:page-upkeep-status: green | ||
|
||
*Date:* 5 June 2023 | ||
|
||
*Severity:* Medium (CVSS 5.7) | ||
|
||
*Affected versions:* all released midPoint versions | ||
|
||
*Fixed in versions:* 4.7.1, 4.4.5, 4.6.1 | ||
|
||
|
||
== Description | ||
|
||
User which is disabled in midPoint, but still active in LDAP, is able to log-in to midPoint GUI if LDAP authentication was enabled and configured. | ||
|
||
== Severity and Impact | ||
|
||
This is medium-severity issue. | ||
|
||
The users perceived to not have access to the system, are still able to log in. | ||
|
||
== Mitigation | ||
|
||
* Disable LDAP authentication on affected midPoint versions | ||
* Automatically deactivate users in LDAP when they are disabled in midPoint. | ||
* Update midPoint to latest maintenance versions, which contains fix (4.7.1, 4.4.5, 4.6.1). |
28 changes: 28 additions & 0 deletions
28
docs/security/advisories/016-unauth-user-is-able-to-reset-password.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
= Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled | ||
:page-display-order: 16 | ||
:page-upkeep-status: green | ||
|
||
*Date:* 5 June 2023 | ||
|
||
*Severity:* High (CVSS 8.0) | ||
|
||
*Affected versions:* 4.7 | ||
|
||
*Fixed in versions:* 4.7.1 | ||
|
||
|
||
== Description | ||
|
||
Attacker is able to change user password using password reset form, if `focusIdentification` is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps. | ||
|
||
== Severity and Impact | ||
|
||
This is high-severity issue. | ||
|
||
The affected feature is not enabled by default. | ||
The attacker can change password of existing user if `focusIdentification` authorization module was enabled (it is disabled by default). | ||
|
||
== Mitigation | ||
|
||
* Disabling `focusIdentification` for password reset functionality, or: | ||
* Upgrading to latest maintenance release 4.7.1 |
33 changes: 33 additions & 0 deletions
33
docs/security/advisories/017-self-registration-allows-to-change-password.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
= Security Advisory: Self Registration feature allows to change password of other users | ||
:page-display-order: 17 | ||
:page-upkeep-status: green | ||
|
||
*Date:* 5 June 2023 | ||
|
||
*Severity:* High (CVSS 8.0) | ||
|
||
*Affected versions:* all midPoint versions | ||
|
||
*Fixed in versions:* 4.4.5, 4.6.1, 4.7.1 | ||
|
||
|
||
== Description | ||
|
||
If self registration / post registration feature is enabled (feature is disabled by default), | ||
unauthorized attacker which knows OID of user is able to change password and or disable that user account exploiting vulnerability in post registration (invitation) form. | ||
|
||
== Severity and Impact | ||
|
||
This is high-severity issue. | ||
|
||
The affected feature is not enabled by default. MidPoint deployment is only affected if self registration feature is explicitly configured. | ||
|
||
If the self registration is enabled, the attacker can change password of existing user, and depending on configuration of self registration it can effectively disable account of other user or gain access to that account. | ||
|
||
== Mitigation | ||
|
||
* Disable self-registration feature in affected versions if it was enabled. | ||
* Update to latest maintenance midPoint release which contains fix. | ||
* Reconfigure post registration and post registration link generation to use invitation authentication sequence. | ||
** See updated xref:/midpoint/reference/misc/self-registration[Self Registration documentation] for midPoint 4.6.1 and 4.7.1. | ||
** See xref:/midpoint/reference/misc/self-registration/configuration-before-4-6/[Self Registration configuration before 4.6] for midPoint 4.4.5. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters