When a user is configured to use OTP the expected provided password from the user is the combination of his password and the OTP tokencode.
It looks like it is possible to login by providing only the OTP tokencode.
CVE-2014-7828 is assigned.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1160877 (Red Hat Enterprise Linux 7)
This was fixed also in 4.0.5, fixing milestone.
Metadata Update from @ctria:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.0.5
to comment on this ticket.