Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassianDazmiATLASSIAN:CWD-5409
HistoryJun 18, 2019 - 12:30 p.m.

Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902

2019-06-1812:30:18
dazmi
jira.atlassian.com
125

EPSS

0.001

Percentile

42.2%

JSON

h3. Issue Summary
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP.

h3. Environment
Crowd 3.x.x
OpenLDAP

h3. Steps to Reproduce

Install Crowd 3.1.1 and connect with OpenLDAP directory.

Synchronise the OpenLDAP directory.

Disable one of the user from OpenLDAP directory.

Generate the XML Backup.

Upgrade Crowd by following the steps in [Upgrading Crowd via XML Data Transfer|https://confluence.atlassian.com/crowd/upgrading-crowd-via-xml-data-transfer-213519481.html]

h3. Expected Results
OpenLDAP user remain disabled

h3. Actual Results
OpenLDAP user reactivate after the upgrade.

Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user:

  • !auditlog.png|thumbnail!

h3. Workaround
Upgrade Crowd using [Method 1: Automatic database upgrade|https://confluence.atlassian.com/crowd/upgrading-crowd-22544441.html]

Related

prion 1
atlassian 1
nvd 1
cve 1
cvelist 1
prion
prion
Code injection
2020-10-01 02:15:00
atlassian
atlassian
Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902
2019-06-18 12:30:18
nvd
nvd
CVE-2019-20902
2020-10-01 02:15:12
cve
cve
CVE-2019-20902
2020-10-01 02:15:12
cvelist
cvelist
CVE-2019-20902
2020-10-01 01:30:19

EPSS

0.001

Percentile

42.2%

JSON
Related for ATLASSIAN:CWD-5409
prion1atlassian1nvd1cve1cvelist1