CVE-2019-11187

NameCVE-2019-11187
DescriptionIncorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1875-1, DLA-1876-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fusiondirectory (PTS)buster1.2.3-4+deb10u1fixed
buster (security)1.2.3-4+deb10u2fixed
bullseye1.3-4fixed
gosa (PTS)buster2.7.4+reloaded3-8+deb10u2fixed
bullseye2.7.4+reloaded3-16fixed
bookworm2.8~git20230203.10abe45+dfsg-1+deb12u2fixed
sid, trixie2.8~git20230203.10abe45+dfsg-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fusiondirectorysourcejessie1.0.8.2-5+deb8u2DLA-1875-1
fusiondirectorysourcestretch1.0.19-1+deb9u1
fusiondirectorysourcebuster1.2.3-4+deb10u1
fusiondirectorysource(unstable)1.2.3-5
gosasourcejessie2.7.4+reloaded2-1+deb8u4DLA-1876-1
gosasourcestretch2.7.4+reloaded2-13+deb9u2
gosasourcebuster2.7.4+reloaded3-8+deb10u1
gosasource(unstable)2.7.4+reloaded3-9

Search for package or bug name: Reporting problems