23 July 2023 - Denial of service via unauthenticated user_provider_set function Versions affected: 4.0-6.0.1 Fixed in version: 6.0.3 Minor

The API function user_provider_set can be called without authentication. This can lead to denial of service if both built-in and LDAP/SAML authentication methods are enabled.

An attacker could change the auth method to a different (but existing) provider disabling the a user’s access to the system until the provider is changed back to the correct one.