You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2018/03/19 11:47:45 UTC
[SECURITY] CVE-2018-1321: Remote code execution by administrators
with report and template entitlements
CVE-2018-1321: Remote code execution by administrators with report and
template entitlements
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8
The unsupported Releases 1.0.x, 1.1.x may be also affected.
Description:
An administrator with report and template entitlements can use XSL
Transformations (XSLT) to perform malicious operations, including but
not limited to file read, file write, and code execution.
Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.
Mitigation:
Do not assign report and template entitlements to any administrator.
Credit:
This issue was discovered by Che-Chun Kuo.
References:
[1] http://syncope.apache.org/security.html
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/