You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Francesco Chicchiriccò <il...@apache.org> on 2018/03/20 07:24:37 UTC

[SECURITY] CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting

CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8

The unsupported Releases 1.0.x, 1.1.x may be also affected.

Description:
An administrator with user search entitlements can recover sensitive
security values using the fiql and orderby parameters.

Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.

Mitigation:
Do not assign user search entitlements to any administrator.

Credit:
This issue was discovered by Che-Chun Kuo.

References:
[1] http://syncope.apache.org/security.html