[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [SECURITY] CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting
From: Francesco_Chicchiriccò <ilgrosso () apache ! org>
Date: 2018-03-19 11:49:36
Message-ID: 47a2120e-2b3d-4e39-4e6f-1914d57c5c7c () apache ! org
[Download RAW message or body]
CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8
The unsupported Releases 1.0.x, 1.1.x may be also affected.
Description:
An administrator with user search entitlements can recover sensitive
security values using the fiql and orderby parameters.
Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.
Mitigation:
Do not assign user search entitlements to any administrator.
Credit:
This issue was discovered by Che-Chun Kuo.
References:
[1] http://syncope.apache.org/security.html
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic