Uploaded image for project: 'Opencast'
  1. MH-9307

Users with null passwords may log in using an empty string

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed and reviewed
    • Affects versions: 1.4.0
    • Fix versions: 1.4.0
    • Components: Backend Software
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      Steps to reproduce:
      1. Create a user in the user database with a null password (to prevent login)
      2. Now go to the login screen and log in with the user's login name and an empty password
       
      Actual Results:

      The user is logged in by Spring Security
       
      Expected Results:
       
      The user is not logged in
      Show
      Steps to reproduce: 1. Create a user in the user database with a null password (to prevent login) 2. Now go to the login screen and log in with the user's login name and an empty password   Actual Results: The user is logged in by Spring Security   Expected Results:   The user is not logged in
    • Tags (folksonomy):

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              lrohner Lukas Rohner
              Reporter:
              twunden Tobias Wunden
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases