2024-001 Improper input validation on generic SSO login

The Sympa Community 2024-12-16 (Initial version)

Synopsis

A fix is available for improper input validation on generic SSO login feature of Sympa web interface.

Systems Affected

• All versions of Sympa prior to 6.2.74.

Problem Description

A flaw was discovered in the generic SSO functionality of Sympa web interface in a specific setting that could allow an attacker to bypass authentication and log in with an arbitrary e-mail address.

Impact

Attacker may bypass authentication and log in with an arbitrary e-mail address.

Workarounds

• If the web interface, wwsympa service, is not available at all, you are not affected by this problem.

• If you do not enable generic SSO, i.e. auth.conf does not contain generic_sso paragraph, you are not affected by this problem.

• Even if generic SSO is enabled, if you don't set force_email_verify to 1, you are not affected by this problem.

Solution

• Upgrade Sympa to version 6.2.74 or later.

  • Source distribution: sympa-6.2.74.tar.gz

  • Binary distributions: Check release information by distributors.

  Check "Upgrading Sympa" in the Administration Manual for upgrading instruction in general.

or, if you have installed Sympa using earlier version of source distribution,

• Apply a patch:

  Patch for Sympa 6.2 to 6.2.72: sympa-6.2.72-sa-2024-001-r1.patch

CVE Numbers

CVE-2024-55919.

References

https://github.com/sympa-community/sympa/pull/1917

Change log

• 2024-12-16

  Initial version published.