Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.4.6, 3.5.1, 3.6.0
Affects Version/s: 3.1.1, 3.4.3
Component/s: Upgrade
Labels:
- CVE-2019-20902
- basm
- cvss-medium
- privesc
- security

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP.

Environment

Crowd 3.x.x
OpenLDAP

Steps to Reproduce

Install Crowd 3.1.1 and connect with OpenLDAP directory.
Synchronise the OpenLDAP directory.
Disable one of the user from OpenLDAP directory.
Generate the XML Backup.
Upgrade Crowd by following the steps in Upgrading Crowd via XML Data Transfer

Expected Results

OpenLDAP user remain disabled

Actual Results

OpenLDAP user reactivate after the upgrade.

Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user:

Workaround

Upgrade Crowd using Method 1: Automatic database upgrade

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

auditlog.png
294 kB
18/Jun/2019 12:29 PM

is cloned by: KYAK-414 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...

Assignee:: Szczepan (Inactive)

Reporter:: Dayana

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Due:: 16/Aug/2019

Created:: 18/Jun/2019 12:30 PM

Updated:: 24/Aug/2023 1:59 PM

Resolved:: 25/Jul/2019 11:33 AM