Date: Mon, 19 Mar 2018 12:47:45 +0100 From: Francesco Chicchiriccò <ilgrosso@...che.org> To: "user@...cope.apache.org" <user@...cope.apache.org>, dev@...cope.apache.org, "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2018-1321: Remote code execution by administrators with report and template entitlements CVE-2018-1321: Remote code execution by administrators with report and template entitlements Severity: Medium Vendor: The Apache Software Foundation Versions Affected: * Releases prior to 1.2.11 * Releases prior to 2.0.8 The unsupported Releases 1.0.x, 1.1.x may be also affected. Description: An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution. Solution: Syncope 1.2.x users upgrade to 1.2.11. Syncope 2.0.x users upgrade to 2.0.8. Mitigation: Do not assign report and template entitlements to any administrator. Credit: This issue was discovered by Che-Chun Kuo. References:  http://syncope.apache.org/security.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ