Impact
If:
ZulipLDAPAuthBackend and an external authentication backend (any aside of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py- The organization permissions don't require invitations to join
An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.
The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having Invitations are required for joining this organization organization permission disabled.
Workaround
Enabling Invitations are required for joining this organization organization permission prevents this issue.
Impact
If:
ZulipLDAPAuthBackendand an external authentication backend (any aside ofZulipLDAPAuthBackendandEmailAuthBackend) are the only ones enabled inAUTHENTICATION_BACKENDSin/etc/zulip/settings.pyAn attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.
The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having
Invitations are required for joining this organizationorganization permission disabled.Workaround
Enabling
Invitations are required for joining this organizationorganization permission prevents this issue.