You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/11/06 09:15:28 UTC
svn commit: r1845880 - /syncope/site/security.html
Author: ilgrosso
Date: Tue Nov 6 09:15:28 2018
New Revision: 1845880
URL: http://svn.apache.org/viewvc?rev=1845880&view=rev
Log:
Publishing 2 security advisories
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
URL: http://svn.apache.org/viewvc/syncope/site/security.html?rev=1845880&r1=1845879&r2=1845880&view=diff
==============================================================================
--- syncope/site/security.html (original)
+++ syncope/site/security.html Tue Nov 6 09:15:28 2018
@@ -8,7 +8,7 @@
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="author" content="Apache Syncope Documentation Team" />
- <meta name="Date-Revision-yyyymmdd" content="20181102" />
+ <meta name="Date-Revision-yyyymmdd" content="20181106" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Syncope – Security Advisories</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.5.min.css" />
@@ -269,6 +269,143 @@
<div class="section">
+<h3><a name="CVE-2018-17186:_XXE_on_BPMN_definitions"></a>CVE-2018-17186: XXE on BPMN definitions</h3>
+
+<p>An administrator with workflow definition entitlements can use DTD to perform malicious operations, including
+ but not limited to file read, file write, and code execution.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Medium</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases prior to 2.0.11</li>
+
+<li>Releases prior to 2.1.2</li>
+ </ul>
+
+
+<p>The unsupported Releases 1.2.x may be also affected.</p>
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>2.0.X users should upgrade to 2.0.11</li>
+
+<li>2.1.X users should upgrade to 2.1.2</li>
+ </ul>
+
+
+
+<p>
+ <b>Mitigation</b>
+ </p>
+
+<p>Do not assign workflow definition entitlements to any administrator.</p>
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 2.0.11</li>
+
+<li>Release 2.1.2</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17186">full CVE advisory</a>.</p>
+ </div>
+
+
+<div class="section">
+<h3><a name="CVE-2018-17184:_Stored_XSS"></a>CVE-2018-17184: Stored XSS</h3>
+
+<p>A malicious user with enough administration entitlements can inject html-like elements containing JavaScript
+ statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions.<br />
+ When another user with enough administration entitlements edits one of the Entities above via Admin Console,
+ the injected JavaScript code is executed.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Important</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases prior to 2.0.11</li>
+
+<li>Releases prior to 2.1.2</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>2.0.X users should upgrade to 2.0.11</li>
+
+<li>2.1.X users should upgrade to 2.1.2</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 2.0.11</li>
+
+<li>Release 2.1.2</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17184">full CVE advisory</a>.</p>
+ </div>
+
+
+<div class="section">
<h3><a name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting</h3>
<p>An administrator with user search entitlements can recover sensitive security values using the