CVE-2022-1162 and SAML


I need to clarify how this affects us. We’re on 14.9.2, upgrading to 14.9.4 tonight. We use only SAML for logins to our instance and have it configured for auto-signin with that provider.

I see that users seem to have local passwords anyway, even if their only identities are SAML, so I presume those are the ones that were hardcoded. Please correct me if that’s wrong. I know the CVE specifically mentions affecting omniauth SAML, but I don’t see how a hard-coded local password could be used to gain access to our SAML-only instance. Can someone help me understand that?

I changed this local password for a recently-added user in the rails console, and she got an email notification, which confused her more than anything because she uses only SAML for logins, and that password did not change. Is there any way to turn off those notifications when I change these passwords?

I also wonder why, for many users (but not all), there is a Password tab in the profile. It seems to allow a password to be changed without necessarily typing in the current password (on 14.9.2; the new 14.9.4 install in our accept env seems to be different). Since we use only SAML for logins, can we hide that tab?

Many thanks!

Leslie Dreyer Kalra