You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2018/11/06 09:05:59 UTC

[SECURITY] CVE-2018-17186 Apache Syncope

CVE-2018-17186: XXE on BPMN definitions

Description:
An administrator with workflow definition entitlements can use DTD to 
perform malicious operations, including but not limited to file read, 
file write, and code execution.

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11

The unsupported Releases 1.2.x may be also affected.

Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2

Mitigation:
Do not assign workflow definition entitlements to any administrator.

Credit:
This issue was discovered by Kevin Borras Soler and Joan Bono.

References:
https://syncope.apache.org/security