• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 3.3.7, 3.4.6, 3.5.1, 3.6.0
• Affects Version/s: 3.2.3, 3.3.0, 3.4.0, 3.3.2
• Component/s: Directory - Azure Active Directory
• Labels:

  • basm
  • crowd-3.2-known-issues
  • crowd-3.3-known-issues
  • crowd-3.4-known-issues
  • cvss-medium
  • privesc
  • security

[CWD-5320] Crowd silently ignores changes to active status of users in Azure AD.

Collapse comment: Benjamin Brummer added a comment - 31/May/2019 8:41 AM

Benjamin Brummer added a comment - 31/May/2019 8:41 AM

I can not activate a user which was synchronized as disabled at first. How can the collegue start working now? Re-adding the azure ad directory is no solution, as we will loose the whole configuration in crowd.

Expand comment: Benjamin Brummer added a comment - 31/May/2019 8:41 AM

Benjamin Brummer added a comment - 31/May/2019 8:41 AM I can not activate a user which was synchronized as disabled at first. How can the collegue start working now? Re-adding the azure ad directory is no solution, as we will loose the whole configuration in crowd.

Collapse comment: Sandor Krisztian Andre added a comment - 09/May/2019 10:25 AM

Sandor Krisztian Andre added a comment - 09/May/2019 10:25 AM

Change severity please. This in effect introduces a security vulnerability.

Expand comment: Sandor Krisztian Andre added a comment - 09/May/2019 10:25 AM

Sandor Krisztian Andre added a comment - 09/May/2019 10:25 AM Change severity please. This in effect introduces a security vulnerability.

Collapse comment: Sandor Krisztian Andre added a comment - 25/Apr/2019 10:07 AM

Sandor Krisztian Andre added a comment - 25/Apr/2019 10:07 AM

Hi, I can confirm this bug. It is the cause of the issue CWDSUP-16849.

Expand comment: Sandor Krisztian Andre added a comment - 25/Apr/2019 10:07 AM

Sandor Krisztian Andre added a comment - 25/Apr/2019 10:07 AM Hi, I can confirm this bug. It is the cause of the issue CWDSUP-16849.

Collapse comment: Benjamin Brummer added a comment - 23/Mar/2019 12:11 PM

Benjamin Brummer added a comment - 23/Mar/2019 12:11 PM

I upgraded to Crowd 3.4.0. It is affected, too

Expand comment: Benjamin Brummer added a comment - 23/Mar/2019 12:11 PM

Benjamin Brummer added a comment - 23/Mar/2019 12:11 PM I upgraded to Crowd 3.4.0. It is affected, too

Collapse comment: Benjamin Brummer added a comment - 19/Mar/2019 11:38 AM

Benjamin Brummer added a comment - 19/Mar/2019 11:38 AM

As it is not listed for Crowd 3.4.0 can you confirm that it is solved?

Expand comment: Benjamin Brummer added a comment - 19/Mar/2019 11:38 AM

Benjamin Brummer added a comment - 19/Mar/2019 11:38 AM As it is not listed for Crowd 3.4.0 can you confirm that it is solved?

Collapse comment: Benjamin Brummer added a comment - 07/Jan/2019 9:03 AM

Benjamin Brummer added a comment - 07/Jan/2019 9:03 AM

Version 3.3.3 is affected too.  I reported it for the first time starting with crowd 3.2.3, used when i opened a request on 18/Oct/18. I guess a lot of  companies are not aware of this issue and therefore a lot of former employees have still access to protected content.

Expand comment: Benjamin Brummer added a comment - 07/Jan/2019 9:03 AM

Benjamin Brummer added a comment - 07/Jan/2019 9:03 AM Version 3.3.3 is affected too.  I reported it for the first time starting with crowd 3.2.3, used when i opened a request on 18/Oct/18. I guess a lot of  companies are not aware of this issue and therefore a lot of former employees have still access to protected content.