#194 CVE-2015-5301: missing user authorization check when deleting a service provider
Closed: Fixed None Opened 3 years ago by puiterwijk.

It was found that Ipsilon does not check whether a user is authorized to delete a service provider. This makes it possible for any authenticated user to delete any service provider, causing a denial of service.

The vulnerable code is at:

https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/saml2/admin.py#_309


This has been fixed with 9dec97c

Releases 1.0.2 and 1.1.1 have been released to resolve this.

keywords: => security
milestone: => 1.2
resolution: => fixed
status: new => closed

Fields changed

type: defect => Security

Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk
- Issue set to the milestone: 1.2
- Issue tagged with: security

2 years ago

Login to comment on this ticket.

Metadata