A flaw was found in the way FreeIPA handled sessions. It was found that a user with a locked account could reuse his older session, from when the user's account was active, to unlock his account which got locked later on.
Version: FreeIPA, version: 4.4.0-12 on RHEL 7.3 I tried to use two browsers for reproducing it. See the steps below. Account lock due to failed log in attempts 1. Chrome: Logged in as tuser 2. Firefox: Logged out 3. Firefox: 6x failed log in as tuser 4. Firefox: Try to log in with correct passwd to test that account is locked 5. Firefox: Log in is not possible 6. Chrome: (still active session from last login) Tries to click on Unlock in Action menu - it failed with internal server error (the same error is there for any other API calls to server) Account disabling: 1. Chrome: Logged in as tuser 2. Firefox: Logged in as admin 3. Firefox: Navigate to 'tuser' user details page 4. Firefox: Actions -> disable to disable the 'tuser' user 6. Chrome: (still active session from last login) Enable user in Actions on details page is grayed out so. Tries to change field value and click "Save"- it failed with internal server error (the same error is there for any other API calls to server) In case that those above are steps to reproduce, I'm not able to reproduce it. But still, I would rather wait for exact steps (and more information about env) from reporter to be sure that we don't miss anything.
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1497164]
Statement: This security issue does not exist in IPA / FreeIPA. FreeIPA server correctly rejects the HTTP request for "user_unlock" method with 401 Unauthorized HTTP code when the attacker tries to reuse an older browser session. Therefore, we do not consider this report as a valid security concern. We have submitted a request to MITRE to reject this CVE ID.