Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 329
    • Issues 329
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2337

Closed
Open
Created Oct 02, 2020 by Christophe Maudoux@maudoux🐛Maintainer

[security:low] If SFA is enabled with impersonation plugin, users can add or remove spoofed user s 2f devices

Environment

LemonLDAP::NG version: 2.0.3 and other

Operating system: all

Web server: all

Summary

Enable sfa and impersonation. Log in as dwho and spoof rtyler. You can append or remove sfa from rtyler persistent session.

Possible fixes

Detect that impersonation is in progress and forbid delete or add action.

Edited Oct 03, 2020 by Christophe Maudoux
Assignee
Assign to
Time tracking