CVE-2019-11187

NameCVE-2019-11187
DescriptionIncorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1875-1, DLA-1876-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fusiondirectory (PTS)jessie1.0.8.2-5+deb8u1vulnerable
jessie (security)1.0.8.2-5+deb8u2fixed
stretch1.0.19-1vulnerable
buster1.2.3-4vulnerable
bullseye, sid1.2.3-5fixed
gosa (PTS)jessie2.7.4+reloaded2-1+deb8u2vulnerable
jessie (security)2.7.4+reloaded2-1+deb8u4fixed
stretch (security), stretch2.7.4+reloaded2-13+deb9u1vulnerable
buster2.7.4+reloaded3-8vulnerable
bullseye, sid2.7.4+reloaded3-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fusiondirectorysource(unstable)1.2.3-5
fusiondirectorysourcejessie1.0.8.2-5+deb8u2DLA-1875-1
gosasource(unstable)2.7.4+reloaded3-9
gosasourcejessie2.7.4+reloaded2-1+deb8u4DLA-1876-1

Notes

[buster] - fusiondirectory <no-dsa> (Minor issue)
[stretch] - fusiondirectory <no-dsa> (Minor issue)
[buster] - gosa <no-dsa> (Minor issue)
[stretch] - gosa <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems