Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 313
    • Issues 313
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2337
Closed
Open
Issue created Oct 02, 2020 by Christophe Maudoux@maudouxMaintainer

[security:low] If SFA is enabled with impersonation plugin, users can add or remove spoofed user s 2f devices

Environment

LemonLDAP::NG version: 2.0.3 and other

Operating system: all

Web server: all

Summary

Enable sfa and impersonation. Log in as dwho and spoof rtyler. You can append or remove sfa from rtyler persistent session.

Possible fixes

Detect that impersonation is in progress and forbid delete or add action.

Edited Oct 03, 2020 by Christophe Maudoux
Assignee
Assign to
Time tracking