You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/03/19 10:06:58 UTC
[3/3] syncope git commit: Adding security advisories
Adding security advisories
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/076cc74c
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/076cc74c
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/076cc74c
Branch: refs/heads/master
Commit: 076cc74c46e99479f21ac7e81aa64a3bee8c7764
Parents: ea4fb50
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Mon Mar 19 11:05:26 2018 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Mon Mar 19 11:06:47 2018 +0100
----------------------------------------------------------------------
src/site/xdoc/security.xml | 96 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/076cc74c/src/site/xdoc/security.xml
----------------------------------------------------------------------
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index f5b9be3..fde07b9 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -34,6 +34,102 @@ under the License.
<p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/">the procedure</a>.</p>
+ <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements">
+ <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
+ malicious operations, including but not limited to file read, file write, and code execution.</p>
+
+ <p>
+ <b>Severity</b>
+ </p>
+ <p>Medium</p>
+
+ <p>
+ <b>Affects</b>
+ </p>
+ <p>
+ <ul>
+ <li>Releases prior to 1.2.11</li>
+ <li>Releases prior to 2.0.8</li>
+ </ul>
+ </p>
+ <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+ <p>
+ <b>Solution</b>
+ </p>
+ <p>
+ <ul>
+ <li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+ <li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+ </p>
+
+ <p>
+ <b>Mitigation</b>
+ </p>
+ <p>Do not assign report and template entitlements to any administrator.</p>
+
+ <p>
+ <b>Fixed in</b>
+ </p>
+ <p>
+ <ul>
+ <li>Release 1.2.11</li>
+ <li>Release 2.0.8</li>
+ </ul>
+ </p>
+
+ <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
+ </subsection>
+
+ <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting">
+ <p>An administrator with user search entitlements can recover sensitive security values using the
+ <code>fiql</code> and <code>orderby</code> parameters.</p>
+
+ <p>
+ <b>Severity</b>
+ </p>
+ <p>Medium</p>
+
+ <p>
+ <b>Affects</b>
+ </p>
+ <p>
+ <ul>
+ <li>Releases prior to 1.2.11</li>
+ <li>Releases prior to 2.0.8</li>
+ </ul>
+ </p>
+ <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+ <p>
+ <b>Solution</b>
+ </p>
+ <p>
+ <ul>
+ <li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+ <li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+ </p>
+
+ <p>
+ <b>Mitigation</b>
+ </p>
+ <p>Do not assign user search entitlements to any administrator.</p>
+
+ <p>
+ <b>Fixed in</b>
+ </p>
+ <p>
+ <ul>
+ <li>Release 1.2.11</li>
+ <li>Release 2.0.8</li>
+ </ul>
+ </p>
+
+ <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p>
+ </subsection>
+
<subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords">
<p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password
is found. However, the password generation code is relying on insecure Random implementations, which means