oss-sec mailing list archives

[SECURITY] CVE-2018-1321: Remote code execution by administrators with report and template entitlements

From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Mon, 19 Mar 2018 12:47:45 +0100

CVE-2018-1321: Remote code execution by administrators with report andtemplate entitlements


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8

The unsupported Releases 1.0.x, 1.1.x may be also affected.

Description:

An administrator with report and template entitlements can use XSLTransformations (XSLT) to perform malicious operations, including butnot limited to file read, file write, and code execution.


Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.

Mitigation:
Do not assign report and template entitlements to any administrator.

Credit:
This issue was discovered by Che-Chun Kuo.

References:
[1] http://syncope.apache.org/security.html

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Current thread:

[SECURITY] CVE-2018-1321: Remote code execution by administrators with report and template entitlements Francesco Chicchiriccò (Mar 19)
- Re: [SECURITY] CVE-2018-1321: Remote code execution by administrators with report and template entitlements Daniel Kahn Gillmor (Mar 23)