oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: OpenPNE 3, opWebAPIPlugin, opOpenSocialPlugin -- XXE vulnerability fix

From: Kousuke Ebihara <ebihara () tejimaya com>
Date: Tue, 10 Sep 2013 14:03:11 +0900
Hi,

I'm a member of OpenPNE security handling team.

We've released our OSS product, OpenPNE 3, opWebAPIPlugin and opOpenSocialPlugin to fix XXE vulnerability.

Whould you assign CVEs to them?

1. OpenPNE 3 XXE Vulnerabilities
    Affects: 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5
    Fixed: 3.8.7.1, 3.6.11.1, 3.4.21.2, 3.2.7.7, 3.0.8.6
    Commit: https://github.com/openpne/OpenPNE3/commit/6147099848185a82a18d1ba8aa84e69a7eadfcba
    Security Advisory: http://www.openpne.jp/archives/12091/
    Original reporter of this vulnerability: Kousuke Ebihara

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of 
service

2. opWebAPIPlugin XXE Vulnerabilities
    Affects: 0.5.1, 0.4.0, 0.1.0
    Fixed: 0.5.1.1, 0.4.0.1, 0.1.0.1
    Commit: https://github.com/ebihara/opWebAPIPlugin/commit/8820a4a8d7b8c8fbfa4533cc5645f371d454ca5b
    Security Advisory: http://www.openpne.jp/archives/12091/
    Original reporter of this vulnerability: Kousuke Ebihara

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of 
service

3. opOpenSocialPlugin XXE Vulnerabilities
    Affects: 0.8.2.1, 0.9.9.2, 0.9.13, 1.2.6
    Fixed: 0.8.2.2, 0.9.9.3, 0.9.13.1, 1.2.6.1
    Commit: https://github.com/openpne-ospt/opOpenSocialPlugin/commit/a19c02997cf3045ad18b57c14a05465bfb3ae88c
    Security Advisory: http://www.openpne.jp/archives/12091/
    Original reporter of this vulnerability: Kousuke Ebihara

    Access Vector: Network exploitable
    Access Complexity: Low
    Authentication: Not required to exploit
    Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of 
service

Thanks,
Kousuke

-- 
Kousuke Ebihara
ebihara () tejimaya com
Previous By Date Next
Previous By Thread Next

Current thread: