PT-2024-28699 · Internet2 · Internet2 Grouper+1
Jeff Williams
·
Published
2024-06-29
·
Updated
2024-07-03
·
CVE-2024-39848
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Internet2 Grouper versions prior to 5.6
Grouper for Web Services versions prior to 4.13.1
Description
The issue allows authentication bypass when LDAP authentication is used in certain ways. This is related to the
internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication class and the use of the UyY29r password for the M3vwHr account.Recommendations
For Internet2 Grouper versions prior to 5.6, update to version 5.6 or later.
For Grouper for Web Services versions prior to 4.13.1, update to version 4.13.1 or later.
As a temporary workaround, consider restricting the use of LDAP authentication until a patch is available.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Grouper For Web Services
Internet2 Grouper