Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. During specific conditions, this could allow users to authenticate....
Hasnain says:
Yikes
“A precondition for this vulnerability is that the username must be or exceed 52 characters any time a cache key is generated for the user.”
Posted on 2024-11-02T04:31:50+0000