[Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos

Concerned version

Version: 2.0.13

Summary

Summarize the bug encountered concisely

Enable restPasswordServer
Configure Combination [Kerberos, Demo] or [Demo] (works with LDAP too)
use /proxy/pwdConfirm to validate dwho/wrongpassword => returns true

Logs

[debug] Entering REST pwdConfirm method
[debug] Processing getUser
[debug] Processing authenticate
[debug]  -> authResult = 0

Because authenticate always returns OK in Auth::Kerberos

See also #2611

Low severity because this feature is probably not used by anyone. To successfully exploit this, a user must have deployed another application that relies on pwdConfirm to validate passwords (such as another LLNG instance using Auth::REST)

Edited Sep 13, 2021 by Maxime Besson