Title: Disabled automation users could still authenticate
Class: security
Compatible: incomp
Component: wato
Date: 1702309789
Edition: cre
Level: 1
Version: 2.3.0b1
Prior to this Werk an automation user whose password was disabled also described as
"disable the login to this account" was still able to authenticate.
The information that a user was disabled was not checked for automation users.
We found this vulnerability internally.
<b>Affected Versions</b>:
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
LI: 1.6.0
LI: 1.5.0 (probably older versions as well)
<b>Mitigations</b>:
If the need arises to block an automation user one can change the password or remove that
user from the system.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31211 to this vulnerability.
<b>Changes</b>:
This Werk adds a check for the disabled information. During update you will be warned if a
automation user is currently disabled.
Show replies by date