Security advisory: IBEXA-SA-2021-007

JWT auth possible for disabled users. Username login handler can't be disabled.
Publication date:
28/09/2021, 14:00


Affected versions: Ibexa DXP v3.3.* (ezsystems/ezplatform-rest v1.3.*, ezsystems/ezcommerce-shop v3.3.*, ezsystems/ezcommerce-checkout v1.0.*)
Resolving versions: Ibexa DXP v3.3.9 (ezsystems/ezplatform-rest v1.3.8, ezsystems/ezcommerce-shop v3.3.8, ezsystems/ezcommerce-checkout v1.0.5)

This Security Advisory is about two vulnerabilities in Ibexa DXP.

The first vulnerability involves authentication using JWT tokens. Users can authenticate this way even if their user account is disabled. This is a high risk vulnerability when account disabling is used to block users' access to the system. (Someone who never had an account cannot exploit this vulnerability.) The fix ensures tokens are generated only for enabled user accounts, and is distributed via Composer as ezsystems/ezplatform-rest v1.3.8

The second vulnerability involves Ibexa Commerce code which is integrated in all three flavours of the DXP: Content, Experience and Commerce. One such piece of code overrides login functionality. This means that login by email does not work, even if the Ibexa provider for this is enabled. It also means that login by username will work, even if the Ibexa provider for this is disabled. This constitutes a low to medium security risk, when this behaviour is unexpected and unwanted. This issue does not affect Ibexa Open Source.

The fix removes this Commerce code, so the documented login behaviour of Ibexa DXP is restored. This also means that login by customer number is disabled. This will be reintroduced later. The forgot-password-feature is also restored to the one provided by the ezplatform-user bundle. We recommend that you install this update, unless you depend on the current Commerce-based login features. The fix is distributed via Composer as ezsystems/ezcommerce-shop v3.3.8 and ezsystems/ezcommerce-checkout v1.0.5

Both fixes are included in Ibexa DXP v3.3.9, which was released today.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here:

All security advisories