You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/03/19 11:14:48 UTC
[2/2] syncope git commit: Keep security advisories sorted by date
Keep security advisories sorted by date
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/8787624d
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/8787624d
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/8787624d
Branch: refs/heads/master
Commit: 8787624d041b9bfa9417f12e8ea3eca57d6b5813
Parents: 076cc74
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Mon Mar 19 12:14:21 2018 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Mon Mar 19 12:14:35 2018 +0100
----------------------------------------------------------------------
src/site/xdoc/security.xml | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/8787624d/src/site/xdoc/security.xml
----------------------------------------------------------------------
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index fde07b9..f71503d 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -34,9 +34,9 @@ under the License.
<p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/">the procedure</a>.</p>
- <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements">
- <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
- malicious operations, including but not limited to file read, file write, and code execution.</p>
+ <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting">
+ <p>An administrator with user search entitlements can recover sensitive security values using the
+ <code>fiql</code> and <code>orderby</code> parameters.</p>
<p>
<b>Severity</b>
@@ -67,7 +67,7 @@ under the License.
<p>
<b>Mitigation</b>
</p>
- <p>Do not assign report and template entitlements to any administrator.</p>
+ <p>Do not assign user search entitlements to any administrator.</p>
<p>
<b>Fixed in</b>
@@ -79,12 +79,12 @@ under the License.
</ul>
</p>
- <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
+ <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p>
</subsection>
- <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting">
- <p>An administrator with user search entitlements can recover sensitive security values using the
- <code>fiql</code> and <code>orderby</code> parameters.</p>
+ <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements">
+ <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
+ malicious operations, including but not limited to file read, file write, and code execution.</p>
<p>
<b>Severity</b>
@@ -115,7 +115,7 @@ under the License.
<p>
<b>Mitigation</b>
</p>
- <p>Do not assign user search entitlements to any administrator.</p>
+ <p>Do not assign report and template entitlements to any administrator.</p>
<p>
<b>Fixed in</b>
@@ -127,7 +127,7 @@ under the License.
</ul>
</p>
- <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p>
+ <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
</subsection>
<subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords">