CVE-2021-45890

Vulnerability

The vulnerability resides in basic/BasicAuthProvider.java in AuthGuard versions before 0.9.0. The verifyCredentialsAndGetAccount method did not check whether the identifier (e.g., username) is active before proceeding with password verification. This allowed authentication using an inactive identifier, effectively bypassing account deactivation. [1][2][3][4]

Exploitation

An attacker needs to know an inactive username and its corresponding password (or no password for the no-password authentication flow). The attacker can send an authentication request with the inactive username and valid password; the server will accept it and return a session or token, granting access as that user. [1][4]

Impact

Successful exploitation grants the attacker the same privileges as the inactive user. This could lead to unauthorized access to resources, data disclosure, or actions performed under that user's identity. The severity depends on the permissions assigned to the inactive account. [1][4]

Mitigation

The issue is fixed in AuthGuard version 0.9.0, released on 2021-12-27. The fix adds a call to checkIdentifier in both password and no-password authentication paths, which rejects inactive identifiers. Users should upgrade to 0.9.0 or later. No workaround is available for earlier versions. [1][2][3]