• Type: Bug
• Resolution: Fixed
• Priority: High
• Fix Version/s: 3.4.6, 3.5.1, 3.6.0
• Affects Version/s: 3.1.1, 3.4.3
• Component/s: Upgrade
• Labels:

  • CVE-2019-20902
  • basm
  • cvss-medium
  • privesc
  • security

1. 

   auditlog.png

   294 kB

   18/Jun/2019 12:29 PM

[CWD-5409] Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

Pawel Cieszko made changes - 24/Aug/2023 1:59 PM

Remote Link

Original: This issue links to "KYAK-414 (Bulldog)" [ 434719 ]

New: This issue links to "KYAK-414 (JIRA Server (Bulldog))" [ 434719 ]

Daniel Serkowski made changes - 04/Nov/2022 2:43 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 444777 ]

Esteban Casuscelli made changes - 29/Mar/2022 3:21 PM

Remote Link

Original: This issue links to "Page (Confluence)" [ 630289 ]

Esteban Casuscelli made changes - 29/Mar/2022 3:19 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 630289 ]

Esteban Casuscelli made changes - 29/Mar/2022 12:45 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 630437 ]

David Black made changes - 30/Sep/2020 4:18 AM

Labels

Original: CVE-2019-20417 basm cvss-medium privesc security

New: CVE-2019-20902 basm cvss-medium privesc security

David Black made changes - 30/Sep/2020 4:18 AM

Summary

Original: Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20417

New: Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

AB made changes - 27/Jul/2020 12:55 AM

Description

Original: h3. Issue Summary Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce # Install Crowd 3.1.1 and connect with OpenLDAP directory. # Synchronise the OpenLDAP directory. # Disable one of the user from OpenLDAP directory. # Generate the XML Backup. # Upgrade Crowd by following the steps in [Upgrading Crowd via XML Data Transfer|https://confluence.atlassian.com/crowd/upgrading-crowd-via-xml-data-transfer-213519481.html] h3. Expected Results OpenLDAP user remain disabled h3. Actual Results OpenLDAP user reactivate after the upgrade. Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user: * !auditlog.png|thumbnail! h3. Workaround Upgrade Crowd using [Method 1: Automatic database upgrade|https://confluence.atlassian.com/crowd/upgrading-crowd-22544441.html]

New: h3. Issue Summary Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. h3. Environment Crowd 3.x.x OpenLDAP h3. Steps to Reproduce # Install Crowd 3.1.1 and connect with OpenLDAP directory. # Synchronise the OpenLDAP directory. # Disable one of the user from OpenLDAP directory. # Generate the XML Backup. # Upgrade Crowd by following the steps in [Upgrading Crowd via XML Data Transfer|https://confluence.atlassian.com/crowd/upgrading-crowd-via-xml-data-transfer-213519481.html] h3. Expected Results OpenLDAP user remain disabled h3. Actual Results OpenLDAP user reactivate after the upgrade. Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user: * !auditlog.png|thumbnail! h3. Workaround Upgrade Crowd using [Method 1: Automatic database upgrade|https://confluence.atlassian.com/crowd/upgrading-crowd-22544441.html]

alexmin (Inactive) made changes - 27/Jul/2020 12:17 AM

Labels

Original: basm cvss-medium privesc security

New: CVE-2019-20417 basm cvss-medium privesc security

alexmin (Inactive) made changes - 27/Jul/2020 12:17 AM

Summary

Original: Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP

New: Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20417

Load more older history items