A bug in the WebUI can lead to disclosure of the credentials of previously logged in users. Under certain conditions a local, physical attacker can get access to passwords of previously logged in users from the WebUI. Details Preconditions This problem occurs, if the following conditions apply: A logged in […]
Bug
4 posts
A bug in the passOnNoUser policy allows authentication with an arbitrary password. Affected version: up to privacyIDEA 2.11.2 Propability: Medium Security Severity: High Technical Background The passOnNoUser policy is supposed to check if an authenticating user exists. If the user exists, normal authentication is performed. If the user does not exist in the user […]
A bug in the policy module prevents authenticating with a serial number. Affected version: privacyIDEA 2.6 Propability: High Security Severity: Low Technical Background privacyIDEA allows to authenticate with a username or a token serial number. I.e. the API can do a POST /validate/check user=username pass=PIN+OTP or a POST /validate/check serial=serialnumber […]
A bug in the LDAP Resolver can lead to unauthorized access as an LDAP user. Under certain conditions a rogue user can login as an LDAP user to the privacyIDEA web UI or guess a static password part during authentication when the policy scope=authentication, otppin=userstore is used. Details Preconditions This problem […]