CVE-2023-29484

CVE-2023-29484 describes a vulnerability where, given specific conditions, an LDAP user with an incorrectly configured LDAP identifier could log into the Terminalfour platform using an invalid password.

By default, an imported LDAP user would have the correct LDAP identifier set. To exploit this vulnerability the LDAP identifier of an importer user would need to have been manually altered to an incorrect value.

With this release, a user with an incorrectly set LDAP identifier is no longer able to log into the Terminalfour platform with an incorrect password.

The issue was addressed in the following Terminalfour versions:

• 8.3.16
• 8.3.14.2
• 8.3.11.2
• 8.2.18.8
• 8.2.18.2.3
• 7.4.0004 QP3

No evidence was found of this vulnerability having been exploited. All potentially affected hosted clients have been fully patched and Terminalfour have contacted all potentially affected self-hosted clients to notify them of the need to patch.

Terminalfour has made every effort to ensure that they have had the time and support that they need to apply the patch.