|
| 1 | +2024-001 Improper input validation on generic SSO login |
| 2 | +======================================================= |
| 3 | + |
| 4 | +The Sympa Community |
| 5 | +2024-12-16 (Initial version) |
| 6 | + |
| 7 | +Synopsis |
| 8 | +-------- |
| 9 | + |
| 10 | +A fix is available for improper input validation on generic SSO login feature |
| 11 | +of Sympa web interface. |
| 12 | + |
| 13 | +Systems Affected |
| 14 | +---------------- |
| 15 | + |
| 16 | +- All versions of Sympa prior to 6.2.74. |
| 17 | + |
| 18 | +Problem Description |
| 19 | +------------------- |
| 20 | + |
| 21 | +A flaw was discovered in the generic SSO functionality of Sympa web interface |
| 22 | +in a specific setting that could allow an attacker to bypass authentication |
| 23 | +and log in with an arbitrary e-mail address. |
| 24 | + |
| 25 | +Impact |
| 26 | +------ |
| 27 | + |
| 28 | +Attacker may bypass authentication and log in with an arbitrary e-mail address. |
| 29 | + |
| 30 | +Workarounds |
| 31 | +----------- |
| 32 | + |
| 33 | +* If the web interface, `wwsympa` service, is not available at all, |
| 34 | + you are not affected by this problem. |
| 35 | + |
| 36 | +* If you do not enable generic SSO, i.e. `auth.conf` does not contain |
| 37 | + `generic_sso` paragraph, you are not affected by this problem. |
| 38 | + |
| 39 | +* Even if generic SSO is enabled, if you don't set `force_email_verify` to |
| 40 | + `1`, you are not affected by this problem. |
| 41 | + |
| 42 | +Solution |
| 43 | +-------- |
| 44 | + |
| 45 | +* Upgrade Sympa to version 6.2.74 or later. |
| 46 | + |
| 47 | + * Source distribution: |
| 48 | + [sympa-6.2.74.tar.gz](https://github.com/sympa-community/sympa/releases/download/6.2.74/sympa-6.2.74.tar.gz) |
| 49 | + |
| 50 | + * Binary distributions: Check release information by distributors. |
| 51 | + |
| 52 | + Check "[Upgrading Sympa](https://sympa-community.github.io/manual/upgrade.html)" |
| 53 | + in the Administration Manual for upgrading instruction in general. |
| 54 | + |
| 55 | +or, if you have installed Sympa using earlier version of source distribution, |
| 56 | + |
| 57 | +* Apply a patch: |
| 58 | + |
| 59 | + Patch for Sympa 6.2 to 6.2.72: |
| 60 | + [sympa-6.2.72-sa-2024-001-r1.patch](https://github.com/sympa-community/sympa/releases/download/6.2.74/sympa-6.2.72-sa-2024-001-r1.patch) |
| 61 | + |
| 62 | +CVE Numbers |
| 63 | +----------- |
| 64 | + |
| 65 | +[CVE-2024-55919](https://nvd.nist.gov/vuln/detail/CVE-2024-55919). |
| 66 | + |
| 67 | +References |
| 68 | +---------- |
| 69 | + |
| 70 | +https://github.com/sympa-community/sympa/pull/1917 |
| 71 | + |
| 72 | +Change log |
| 73 | +---------- |
| 74 | + |
| 75 | +- 2024-12-16 |
| 76 | + |
| 77 | + Initial version published. |
| 78 | + |
0 commit comments