syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "fabio martelli (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SYNCOPE-928) Table that stores user passwords store duplicate entries
Date Thu, 01 Sep 2016 14:01:20 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

fabio martelli updated SYNCOPE-928:
-----------------------------------
    Description: 
An ssue has been identified on the mailing list

http://syncope-dev.1063484.n5.nabble.com/Syncope-Password-History-Question-td5720367.html

Essentially the table that stores user passwords is storing duplicate
entries. So if you have a policy that mandates that a user can only change
to his/her original password after say 8 resets, then the user will be able
to do so in 5 instead.


  was:
A potential security issue has been identified on the mailing list

http://syncope-dev.1063484.n5.nabble.com/Syncope-Password-History-Question-td5720367.html

Essentially the table that stores user passwords is storing duplicate
entries. So if you have a policy that mandates that a user can only change
to his/her original password after say 8 resets, then the user will be able
to do so in 5 instead.



>  Table that stores user passwords store duplicate entries
> ---------------------------------------------------------
>
>                 Key: SYNCOPE-928
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-928
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.1.8, 1.2.8, 2.0.0-M4
>            Reporter: fabio martelli
>            Assignee: fabio martelli
>             Fix For: 1.1.9, 1.2.9, 2.0.0-M5
>
>
> An ssue has been identified on the mailing list
> http://syncope-dev.1063484.n5.nabble.com/Syncope-Password-History-Question-td5720367.html
> Essentially the table that stores user passwords is storing duplicate
> entries. So if you have a policy that mandates that a user can only change
> to his/her original password after say 8 resets, then the user will be able
> to do so in 5 instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message