Security Advisory: Self Registration feature allows to change password of other users
Date: 5 June 2023
Severity: High (CVSS 8.0)
Affected versions: all midPoint versions
Fixed in versions: 4.4.5, 4.6.1, 4.7.1
If self registration / post registration feature is enabled (feature is disabled by default), unauthorized attacker which knows OID of user is able to change password and or disable that user account exploiting vulnerability in post registration (invitation) form.
Severity and Impact
This is high-severity issue.
The affected feature is not enabled by default. MidPoint deployment is only affected if self registration feature is explicitly configured.
If the self registration is enabled, the attacker can change password of existing user, and depending on configuration of self registration it can effectively disable account of other user or gain access to that account.
Disable self-registration feature in affected versions if it was enabled.
Update to latest maintenance midPoint release which contains fix.
Reconfigure post registration and post registration link generation to use invitation authentication sequence.