Security Advisory: SOAP Web Service Vulnerable To Brute Force Attack

Last modified 14 Feb 2024 10:22 +01:00

Date: 9 July 2019

Severity: Medium (CVSS 4.9)

Affected versions: all released midPoint versions

Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)


SOAP-based web service interface of midPoint does not limit authentication attempts.

Severity and Impact

An attacker with access to midPoint SOAP web service can issue numerous operation requests without any limitation of wrong authentication attempts. This can be used by an attacker for brute force attacks on user passwords.


Users of affected MidPoint versions are advised to upgrade their deployments to the latest builds from the support branches.

As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.

Discussion and Explanation

MidPoint is using custom authentication module for SOAP web services. Although authentication attempts were properly limited in midPoint user interface and REST service, such limitation was not applied to SOAP web service.

As SOAP web service is usually not accessible to public use, impact of this security vulnerability is limited. Even though the SOAP interface is becoming obsolete and it is going to be deprecated in midPoint 4.0, this security vulnerability was fixed in all supported versions of midPoint.

RESTful interface is not affected by this vulnerability.


This issue was reported by tester known as nistr by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

Was this page helpful?
Thanks for your feedback