Skip to Content.
Sympa Menu

announce - [announce@sympa] [Sympa Security Advisory] 2024-001 Improper input validation on generic SSO login

Subject: Announcements of new sympa release

List archive

[announce@sympa] [Sympa Security Advisory] 2024-001 Improper input validation on generic SSO login

Chronological Thread  
    < Chronological >       < Thread >
  • From: IKEDA Soji <>
  • To:
  • Subject: [announce@sympa] [Sympa Security Advisory] 2024-001 Improper input validation on generic SSO login
  • Date: Mon, 16 Dec 2024 20:54:36 +0900
Updated version of this advisory will be found at:
https://sympa-community.github.io/security/2024-001.html

2024-001 Improper input validation on generic SSO login
=======================================================

The Sympa Community
2024-12-16 (Initial version)

Synopsis
--------

A fix is available for improper input validation on generic SSO login feature
of Sympa web interface.

Systems Affected
----------------

- All versions of Sympa prior to 6.2.74.

Problem Description
-------------------

A flaw was discovered in the generic SSO functionality of Sympa web interface
in a specific setting that could allow an attacker to bypass authentication
and log in with an arbitrary e-mail address.

Impact
------

Attacker may bypass authentication and log in with an arbitrary e-mail
address.

Workarounds
-----------

* If the web interface, `wwsympa` service, is not available at all,
you are not affected by this problem.

* If you do not enable generic SSO, i.e. `auth.conf` does not contain
`generic_sso` paragraph, you are not affected by this problem.

* Even if generic SSO is enabled, if you don't set `force_email_verify` to
`1`, you are not affected by this problem.

Solution
--------

* Upgrade Sympa to version 6.2.74 or later.

* Source distribution:

[sympa-6.2.74.tar.gz](https://github.com/sympa-community/sympa/releases/download/6.2.74/sympa-6.2.74.tar.gz)

* Binary distributions: Check release information by distributors.

Check "[Upgrading
Sympa](https://sympa-community.github.io/manual/upgrade.html)"
in the Administration Manual for upgrading instruction in general.

or, if you have installed Sympa using earlier version of source distribution,

* Apply a patch:

Patch for Sympa 6.2 to 6.2.72:

[sympa-6.2.72-sa-2024-001-r1.patch](https://github.com/sympa-community/sympa/releases/download/6.2.74/sympa-6.2.72-sa-2024-001-r1.patch)

CVE Numbers
-----------

[CVE-2024-55919](https://nvd.nist.gov/vuln/detail/CVE-2024-55919).

References
----------

https://github.com/sympa-community/sympa/pull/1917

Change log
----------

- 2024-12-16

Initial version published.
  • [announce@sympa] [Sympa Security Advisory] 2024-001 Improper input validation on generic SSO login, IKEDA Soji, 12/16/2024

Archive powered by MHonArc 2.6.19+.

Top of Page