oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[SECURITY] CVE-2018-17186 Apache Syncope

From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Tue, 6 Nov 2018 10:05:59 +0100
CVE-2018-17186: XXE on BPMN definitions

Description:
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution. 

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11

The unsupported Releases 1.2.x may be also affected.

Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2

Mitigation:
Do not assign workflow definition entitlements to any administrator.

Credit:
This issue was discovered by Kevin Borras Soler and Joan Bono.

References:
https://syncope.apache.org/security

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: