Security issues were discovered in the passwordauth plugin's use of CGI::FormBuilder, involving API design issues similar to those that led to CVE-2014-1572. Impact: * An attacker who can log in to a site with a password can log in as a different and potentially more privileged user. * An attacker who can create a new account can set arbitrary fields in the user database for that account. Sites that enable the CGI script (cgi_wrapper) and do not disable the simple password authentication plugin (passwordauth, enabled by default) are affected. References: http://seclists.org/oss-sec/2017/q1/67 https://ikiwiki.info/security/#cve-2017-0356
Created ikiwiki tracking bugs for this issue: Affects: fedora-all [bug 1412702] Affects: epel-6 [bug 1406696]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.