oss-sec mailing list archives
[SECURITY] CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting
From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Mon, 19 Mar 2018 12:49:36 +0100
CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting Severity: Medium Vendor: The Apache Software Foundation Versions Affected: * Releases prior to 1.2.11 * Releases prior to 2.0.8 The unsupported Releases 1.0.x, 1.1.x may be also affected. Description: An administrator with user search entitlements can recover sensitive security values using the fiql and orderby parameters. Solution: Syncope 1.2.x users upgrade to 1.2.11. Syncope 2.0.x users upgrade to 2.0.8. Mitigation: Do not assign user search entitlements to any administrator. Credit: This issue was discovered by Che-Chun Kuo. References: [1] http://syncope.apache.org/security.html -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Current thread:
- [SECURITY] CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting Francesco Chicchiriccò (Mar 19)