nginx-ldap-auth icon indicating copy to clipboard operation
nginx-ldap-auth copied to clipboard

Published 20 hours ago verified publisher icon tiagoapimenta

Leaving the password field empty bypasses authentication

Open kishorviswanathan opened this issue 4 years ago • 1 comments

I have deployed nginx-ldap-auth with nginx-ingress controller on GKE. I have enabled group validation. When a valid username that is a member of the group is provided, password field can be left empty. This is a security issue and can grant access to anyone who knows a valid username.

kishorviswanathan avatar Sep 28 '20 13:09 kishorviswanathan

I was also able to reproduce the bug when requiredGroups is empty or not specified.

iul1an avatar Oct 20 '20 19:10 iul1an