Impact
If:
ZulipLDAPAuthBackend
and an external authentication backend (any aside of ZulipLDAPAuthBackend
and EmailAuthBackend
) are the only ones enabled in AUTHENTICATION_BACKENDS
in /etc/zulip/settings.py
- The organization permissions don't require invitations to join
An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.
The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having Invitations are required for joining this organization
organization permission disabled.
Workaround
Enabling Invitations are required for joining this organization
organization permission prevents this issue.
Impact
If:
ZulipLDAPAuthBackend
and an external authentication backend (any aside ofZulipLDAPAuthBackend
andEmailAuthBackend
) are the only ones enabled inAUTHENTICATION_BACKENDS
in/etc/zulip/settings.py
An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory.
The impact is limited to installations which have this specific combination of authentication backends as described above in addition to having
Invitations are required for joining this organization
organization permission disabled.Workaround
Enabling
Invitations are required for joining this organization
organization permission prevents this issue.