Impact
It is possibly to explore the user accounts on an openEQUELLA instance via a user interface for searching for users. This discloses first name, last name and userid (which can be the userid for a configured integrated security system - e.g. LDAP).
Patches
There is a patch available for all versions of oEQ starting at 6.6. Please ensure you upgrade to the latest version, or at least:
- 6.6r53
- 2018.2r66
- 2019.1.8
- 2019.2.6
- 2020.1.6
Version 2020.2.0 when released will include the fix.
Workarounds
None.
For more information
If you have any questions or comments about this advisory:
Impact
It is possibly to explore the user accounts on an openEQUELLA instance via a user interface for searching for users. This discloses first name, last name and userid (which can be the userid for a configured integrated security system - e.g. LDAP).
Patches
There is a patch available for all versions of oEQ starting at 6.6. Please ensure you upgrade to the latest version, or at least:
Version 2020.2.0 when released will include the fix.
Workarounds
None.
For more information
If you have any questions or comments about this advisory: