Security Advisory: User-Enumeration attack (Malformed username)

An attacker uses a malformed username and incorrect password to log in to midPoint. MidPoint normalizes the name and searches for the user by name. If the user exists, it will redirect the attacker back to the login page with an error that the name or password is incorrect. If the user does not exist in the midpoint, the attacker is redirected to the 'Internal server error' page with status 500.

This is Medium Severity Issue.

The attacker gets information if there is a user with a normalized username.

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.