GHSA-36mj-6r7r-mqhf

Source

https://github.com/advisories/GHSA-36mj-6r7r-mqhf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-36mj-6r7r-mqhf/GHSA-36mj-6r7r-mqhf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-36mj-6r7r-mqhf

Published

2021-09-29T17:09:23Z

Modified

2024-12-02T05:49:38.734493Z

Summary

User can obtain JWT token even if account is disabled

Details

Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T21:21:08Z"
}

References

Affected packages

Packagist / ezsystems/ezplatform-rest

Package

Name: ezsystems/ezplatform-rest
Purl: pkg:composer/ezsystems/ezplatform-rest

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.8

Affected versions

v1.*

v1.3.0

v1.3.1

v1.3.1.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7