Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNm1qLTZyN3ItbXFoZs0WCg
User can obtain JWT token even if account is disabled
Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8
Permalink: https://github.com/advisories/GHSA-36mj-6r7r-mqhfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNm1qLTZyN3ItbXFoZs0WCg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
Identifiers: GHSA-36mj-6r7r-mqhf
References:
- https://github.com/ezsystems/ezplatform-rest/security/advisories/GHSA-36mj-6r7r-mqhf
- https://developers.ibexa.co/security-advisories/ibexa-sa-2021-007-jwt-auth-possible-for-disabled-users.-username-login-handler-can-t-be-disabled
- https://github.com/advisories/GHSA-36mj-6r7r-mqhf
Blast Radius: 0.0
Affected Packages
packagist:ezsystems/ezplatform-rest
Dependent packages: 33Dependent repositories: 36
Downloads: 386,985 total
Affected Version Ranges: >= 1.3.0, < 1.3.8
Fixed in: 1.3.8
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23