Impact
This vulnerability allows an attacker to authenticate as an existing user, if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the (default) local password mechanism.
Patches
Users should upgrade to at least version 4.2.0.
Workarounds
If upgrading is not currently feasible, a workaround can be implemented. Contact Nicolas CARPi privately if you wish to know about it. An upgrade is of course the best course of action.
References
This vulnerability was discovered and responsibly disclosed by Anders Märak Leffler (@anargam).
For more information
If you have any questions or comments about this advisory:
NicolasCARPi Analyst
anargam Analyst
Impact
This vulnerability allows an attacker to authenticate as an existing user, if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the (default) local password mechanism.
Patches
Users should upgrade to at least version 4.2.0.
Workarounds
If upgrading is not currently feasible, a workaround can be implemented. Contact Nicolas CARPi privately if you wish to know about it. An upgrade is of course the best course of action.
References
This vulnerability was discovered and responsibly disclosed by Anders Märak Leffler (@anargam).
For more information
If you have any questions or comments about this advisory: