GHSA-36mj-6r7r-mqhf

Suggest an improvement
Source
https://github.com/advisories/GHSA-36mj-6r7r-mqhf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-36mj-6r7r-mqhf/GHSA-36mj-6r7r-mqhf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-36mj-6r7r-mqhf
Published
2021-09-29T17:09:23Z
Modified
2024-12-02T05:48:02.318985Z
Summary
User can obtain JWT token even if account is disabled
Details

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T21:21:08Z"
}
References

Affected packages

Packagist / ezsystems/ezplatform-rest

Package

Name
ezsystems/ezplatform-rest
Purl
pkg:composer/ezsystems/ezplatform-rest

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.8

Affected versions

v1.*

v1.3.0
v1.3.1
v1.3.1.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7