DazmiCWD-5409Upgrading Crowd via XML Data Transfer reactivate disabled user from OpenLDAP - CVE-2019-20902
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
42.2%
h3. Issue Summary
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP.
h3. Environment
Crowd 3.x.x
OpenLDAP
h3. Steps to Reproduce
Install Crowd 3.1.1 and connect with OpenLDAP directory.
Synchronise the OpenLDAP directory.
Disable one of the user from OpenLDAP directory.
Generate the XML Backup.
Upgrade Crowd by following the steps in [Upgrading Crowd via XML Data Transfer|https://confluence.atlassian.com/crowd/upgrading-crowd-via-xml-data-transfer-213519481.html]
h3. Expected Results
OpenLDAP user remain disabled
h3. Actual Results
OpenLDAP user reactivate after the upgrade.
Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user:
- !auditlog.png|thumbnail!
h3. Workaround
Upgrade Crowd using [Method 1: Automatic database upgrade|https://confluence.atlassian.com/crowd/upgrading-crowd-22544441.html]
Affected configurations
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
42.2%