CVE-2019-11187

NameCVE-2019-11187
DescriptionIncorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1875-1, DLA-1876-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fusiondirectory (PTS)jessie1.0.8.2-5+deb8u1vulnerable
jessie (security)1.0.8.2-5+deb8u2fixed
stretch1.0.19-1+deb9u1fixed
buster1.2.3-4+deb10u1fixed
bullseye, sid1.3-1fixed
gosa (PTS)jessie2.7.4+reloaded2-1+deb8u2vulnerable
jessie (security)2.7.4+reloaded2-1+deb8u5fixed
stretch (security), stretch2.7.4+reloaded2-13+deb9u1vulnerable
buster2.7.4+reloaded3-8+deb10u1fixed
bullseye, sid2.7.4+reloaded3-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fusiondirectorysource(unstable)1.2.3-5high
fusiondirectorysourcebuster1.2.3-4+deb10u1high
fusiondirectorysourcejessie1.0.8.2-5+deb8u2highDLA-1875-1
fusiondirectorysourcestretch1.0.19-1+deb9u1high
gosasource(unstable)2.7.4+reloaded3-9high
gosasourcebuster2.7.4+reloaded3-8+deb10u1high
gosasourcejessie2.7.4+reloaded2-1+deb8u4highDLA-1876-1

Notes

[stretch] - gosa <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems