Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2018 12:49:36 +0100
From: Francesco Chicchiriccò <ilgrosso@...che.org>
To: "user@...cope.apache.org" <user@...cope.apache.org>,
 dev@...cope.apache.org, "security@...che.org" <security@...che.org>,
 oss-security@...ts.openwall.com
Subject: [SECURITY] CVE-2018-1322: Information disclosure via FIQL and ORDER
 BY sorting

CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8

The unsupported Releases 1.0.x, 1.1.x may be also affected.

Description:
An administrator with user search entitlements can recover sensitive
security values using the fiql and orderby parameters.

Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.

Mitigation:
Do not assign user search entitlements to any administrator.

Credit:
This issue was discovered by Che-Chun Kuo.

References:
[1] http://syncope.apache.org/security.html

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ