Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 16.04 LTS: USN-4609-1 Critical: gosa Access Control Issues

ubuntu
Calendar Grey October 28, 2020
Dist Ubuntu Esm H88
Important security patch for gosa on Ubuntu, targeting various flaws and possible remote exploitation.
Several security issues were fixed in gosa.

Summary

Several security issues were fixed in gosa.

Software Description:

- gosa: Web Based LDAP Administration Program

Details:

Fabian Henneke discovered that GOsa incorrectly handled client cookies. An

authenticated user could exploit this with a crafted cookie to perform

file deletions in the context of the user account that runs the web

server. (CVE-2019-14466)

It was discovered that GOsa incorrectly handled user access control. A

remote attacker could use this issue to log into any account with a

username containing the word "success". (CVE-2019-11187)

Fabian Henneke discovered that GOsa was vulnerable to cross-site scripting

attacks via the change password form. A remote attacker could use this

flaw to run arbitrary web scripts. (CVE-2018-1000528)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  gosa                            2.7.4+reloaded2-9ubuntu1.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4609-1

CVE-2018-1000528, CVE-2019-11187, CVE-2019-14466

Severity
critical
Lowest
Low
Medium
High
Critical

October 28, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here