[midPoint] Security Advisory: Not Invited User able to register if Invitation flow is configured
Tony Tkacik
tony.tkacik at evolveum.com
Tue Jan 30 10:54:18 CET 2024
Date: 29. 01. 2024
Severity: High (CVSS 8.0)
Affected versions: 4.8
Fixed in versions: 4.8.1
Description
If the invitation registration is was configured along with custom registration form or object template which generated name property, user which was not invited was able to register even without invitation email.
Severity and Impact
This is High Severity Issue.
The invitation feature is turned off by default, only specific configuration combination (invitation flow and custom form with name property) is needed to expose this vulnerability.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release 4.8.1.
In the meantime users are advised to disable invitation registration or remove name property from custom registration form.
This advisory is also available at https://docs.evolveum.com/midpoint/reference/security/advisories/021-not-invited-user-able-to-register/
--
Anton Tkáčik
Software Developer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240130/600ecbd8/attachment.htm>
More information about the midPoint
mailing list