CVE-2019-11187

Published: 15 August 2019

Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
fusiondirectory
Launchpad, Ubuntu, Debian
Upstream
Released (1.2.3-5)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.2.3-5)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.2.3-5)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

gosa
Launchpad, Ubuntu, Debian
Upstream
Released (2.7.4+reloaded3-9)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.7.4+reloaded3-9)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.4+reloaded3-9)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus)
Released (2.7.4+reloaded2-9ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist