Page tree
Skip to end of metadata
Go to start of metadata

Date: 23 May 2019

Severity: Low (CVSS 0.1-3.9)

Affected versions: all released midPoint versions

Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)

Description

Plaintext passwords are sometimes stored in task objects in the repository (database).

Severity and Impact

Tasks dealing with password manipulation (e.g. when doing bulk or asynchronous password reset) may contain plaintext password values. So a user that is able to retrieve these tasks from the repository can see them.

Most midPoint deployment are not affected by this issue at all. By default, there are no tasks that manipulate passwords, unless created explicitly by the midPoint administrator. Also, default midPoint configuration does not allow access to arbitrary task objects by anyone else than system administrator.

Mitigation

MidPoint users are advised to upgrade their deployments to the latest builds from the support branches.

As this is a low severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.

Discussion and Explanation

MidPoint can execute custom tasks on background. Typical ones are bulk actions (midPoint scripting) tasks and tasks that asynchronously execute specified object changes. Actions or changes to be executed are stored directly in these tasks. Although midPoint encrypts all the data that is to be stored into repository, it did not do that consistently and some data – namely, data related to object changes – passed through this encryption routine unnoticed.

The midPoint code was fixed to be able to recognize password data in more depth than before. However, there are some conditions that must be fulfilled here: basically, values to be protected must be marked as such. Please see this wiki page for more information.


Credit

This issue was reported by Martin Lízner and Arnošt Starosta by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

See Also

  • No labels