Security Advisory: Self Registration feature allows to change password of other users

Last modified 22 Feb 2024 13:11 +01:00

Date: 5 June 2023

Severity: High (CVSS 8.0)

Affected versions: all midPoint versions

Fixed in versions: 4.4.5, 4.6.1, 4.7.1

Description

If self registration / post registration feature is enabled (feature is disabled by default), unauthorized attacker which knows OID of user is able to change password and or disable that user account exploiting vulnerability in post registration (invitation) form.

Severity and Impact

This is high-severity issue.

The affected feature is not enabled by default. MidPoint deployment is only affected if self registration feature is explicitly configured.

If the self registration is enabled, the attacker can change password of existing user, and depending on configuration of self registration it can effectively disable account of other user or gain access to that account.

Mitigation

Disable self-registration feature in affected versions if it was enabled.
Update to latest maintenance midPoint release which contains fix.
Reconfigure post registration and post registration link generation to use invitation authentication sequence.
- See updated Self Registration documentation for midPoint 4.6.1 and 4.7.1.
- See Self Registration configuration before 4.6 for midPoint 4.4.5.

Was this page helpful?

YES NO

Thanks for your feedback