CVE-2018-17186: XXE on BPMN definitions Description:An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity: Medium Vendor: The Apache Software Foundation Affects: Releases prior to 2.1.2 Releases prior to 2.0.11 The unsupported Releases 1.2.x may be also affected. Solution: 2.0.X users should upgrade to 2.0.11 2.1.X users should upgrade to 2.1.2 Mitigation: Do not assign workflow definition entitlements to any administrator. Credit: This issue was discovered by Kevin Borras Soler and Joan Bono. References: https://syncope.apache.org/security
signature.asc
Description: OpenPGP digital signature