You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/03/19 10:08:14 UTC
svn commit: r1827183 - /syncope/site/security.html
Author: ilgrosso
Date: Mon Mar 19 10:08:14 2018
New Revision: 1827183
URL: http://svn.apache.org/viewvc?rev=1827183&view=rev
Log:
Publishing security advisories
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
URL: http://svn.apache.org/viewvc/syncope/site/security.html?rev=1827183&r1=1827182&r2=1827183&view=diff
==============================================================================
--- syncope/site/security.html (original)
+++ syncope/site/security.html Mon Mar 19 10:08:14 2018
@@ -8,7 +8,7 @@
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="author" content="Apache Syncope Documentation Team" />
- <meta name="Date-Revision-yyyymmdd" content="20180313" />
+ <meta name="Date-Revision-yyyymmdd" content="20180319" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Syncope – Security Advisories</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.5.min.css" />
@@ -267,6 +267,150 @@
<div class="section">
+<h3><a name="CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements"></a>CVE-2018-1321: Remote code execution by administrators with report and template entitlements</h3>
+
+<p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
+ malicious operations, including but not limited to file read, file write, and code execution.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Medium</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases prior to 1.2.11</li>
+
+<li>Releases prior to 2.0.8</li>
+ </ul>
+
+
+<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+
+<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+
+
+
+<p>
+ <b>Mitigation</b>
+ </p>
+
+<p>Do not assign report and template entitlements to any administrator.</p>
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 1.2.11</li>
+
+<li>Release 2.0.8</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
+ </div>
+
+
+<div class="section">
+<h3><a name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting</h3>
+
+<p>An administrator with user search entitlements can recover sensitive security values using the
+ <tt>fiql</tt> and <tt>orderby</tt> parameters.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Medium</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases prior to 1.2.11</li>
+
+<li>Releases prior to 2.0.8</li>
+ </ul>
+
+
+<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+
+<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+
+
+
+<p>
+ <b>Mitigation</b>
+ </p>
+
+<p>Do not assign user search entitlements to any administrator.</p>
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 1.2.11</li>
+
+<li>Release 2.0.8</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p>
+ </div>
+
+
+<div class="section">
<h3><a name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a>CVE-2014-3503: Insecure Random implementations used to generate passwords</h3>
<p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password