GHSA-p9mp-vq4v-v5m5

Suggest an improvement
Source
https://github.com/advisories/GHSA-p9mp-vq4v-v5m5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p9mp-vq4v-v5m5/GHSA-p9mp-vq4v-v5m5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p9mp-vq4v-v5m5
Published
2024-05-15T21:30:03Z
Modified
2024-11-29T05:29:39.484510Z
Summary
eZ Publish Legacy Passwordless login for LDAP users
Details

This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy.

Installations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may in rare cases be vulnerable to a failure of the standard login handler to verify passwords correctly, allowing unauthorised access.

If your installation has never used the LDAP or TextFile login handlers, or never used legacy login at all, then it is not affected. Still, we recommend installing the update, to be on the safe side.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually: https://github.com/ezsystems/ezpublish-legacy/commit/13f03a2be6c0ee4d0caaafaef05904ea9b0c4d9d

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:30:03Z"
}
References

Affected packages

Packagist / ezsystems/ezpublish-legacy

Package

Name
ezsystems/ezpublish-legacy
Purl
pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2018.9.0
Fixed
2018.9.1.1

Affected versions

v2018.*

v2018.09.0
v2018.09.1

Packagist / ezsystems/ezpublish-legacy

Package

Name
ezsystems/ezpublish-legacy
Purl
pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2018.6.0
Fixed
2018.6.1.2

Affected versions

v2018.*

v2018.06.0
v2018.06.1
v2018.06.1.1

Packagist / ezsystems/ezpublish-legacy

Package

Name
ezsystems/ezpublish-legacy
Purl
pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2011.0.0
Fixed
2017.12.4.1

Affected versions

2013.*

2013.04.0

v2013.*

v2013.05.0
v2013.06.0
v2013.07.0
v2013.07.1
v2013.07.3
v2013.09.0
v2013.11

v2014.*

v2014.01.0
v2014.01.1
v2014.01.2
v2014.03.1
v2014.03.2
v2014.05.0
v2014.05.1
v2014.05.2
v2014.07.0
v2014.07.1
v2014.07.2
v2014.11.0
v2014.11.1
v2014.11.2

v2015.*

v2015.01.0
v2015.01.1
v2015.01.2
v2015.01.3

v2017.*

v2017.08.0
v2017.08.1
v2017.08.1.1
v2017.10.0-RC1
v2017.10.0
v2017.10.1
v2017.12.0
v2017.12.1
v2017.12.1.1
v2017.12.2
v2017.12.2.1
v2017.12.2.2
v2017.12.3
v2017.12.3.1
v2017.12.3.2
v2017.12.4

Packagist / ezsystems/ezpublish-legacy

Package

Name
ezsystems/ezpublish-legacy
Purl
pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.4.12.1

Packagist / ezsystems/ezpublish-legacy

Package

Name
ezsystems/ezpublish-legacy
Purl
pkg:composer/ezsystems/ezpublish-legacy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.3.12.4