CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
42.2%
h3. Issue Summary
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP.
h3. Environment
Crowd 3.x.x
OpenLDAP
h3. Steps to Reproduce
h3. Expected Results
OpenLDAP user remain disabled
h3. Actual Results
OpenLDAP user reactivate after the upgrade.
Audit Logs shows that the user is synchronised from OpenLDAP and recreated in crowd as Active user:
h3. Workaround
Upgrade Crowd using [Method 1: Automatic database upgrade|https://confluence.atlassian.com/crowd/upgrading-crowd-22544441.html]
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
42.2%