Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-50180

Fix User lifetime management in AuthorizationManager::acquireUserForSessionRefresh

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.20, 4.0.21
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v3.6
    • Sprint:
      Security 2020-08-24
    • Linked BF Score:
      15

      Description

      In 3.6 and 4.0, a User object may be leaked in AuthorizationManager::acquireUserForSessionRefresh if an error condition block is taken.

      The User object's ref count must be decremented in this error block.

      The affected code is only in 3.6 and 4.0. It was rewritten in 4.2.

        Attachments

          Activity

            People

            Assignee:
            mark.benvenuto Mark Benvenuto
            Reporter:
            mark.benvenuto Mark Benvenuto
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: