Impact
It may be possible for a deactivated user to login when using uncommon configurations.
This only applies if any of the following are true:
Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated.
Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected.
Patches
- If using JSON Web Token logins: #15624
- For other users: #15634
Workarounds
If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This list of users can be queried from PostgreSQL:
SELECT name FROM users WHERE password_hash IS NOT NULL AND deactivated = 1;
Impact
It may be possible for a deactivated user to login when using uncommon configurations.
This only applies if any of the following are true:
jwt_config.enabledconfiguration settingpassword_config.enabledandpassword_config.localdb_enabledconfiguration settings and a user's password is updated via an admin API after a user is deactivated.Note that the local password database is enabled by default, but it is uncommon to set a user's password after they've been deactivated.
Installations that are configured to only allow login via Single Sign-On (SSO) via CAS, SAML or OpenID Connect (OIDC); or via an external password provider (e.g. LDAP) are not affected.
Patches
Workarounds
If not using JSON Web Tokens, ensure that deactivated users do not have a password set. This list of users can be queried from PostgreSQL: