Repository: syncope Updated Branches: refs/heads/2_0_X ef29709a0 -> 32265a294
Adding security advisories Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/32265a29 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/32265a29 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/32265a29 Branch: refs/heads/2_0_X Commit: 32265a2944e9bb78e5b0e419fdb2bdc15529eecf Parents: ef29709 Author: Francesco Chicchiriccò <[email protected]> Authored: Mon Mar 19 11:05:26 2018 +0100 Committer: Francesco Chicchiriccò <[email protected]> Committed: Mon Mar 19 11:05:26 2018 +0100 ---------------------------------------------------------------------- src/site/xdoc/security.xml | 96 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/32265a29/src/site/xdoc/security.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index f5b9be3..fde07b9 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -34,6 +34,102 @@ under the License. <p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/";>the procedure</a>.</p> + <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements"> + <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform + malicious operations, including but not limited to file read, file write, and code execution.</p> + + <p> + <b>Severity</b> + </p> + <p>Medium</p> + + <p> + <b>Affects</b> + </p> + <p> + <ul> + <li>Releases prior to 1.2.11</li> + <li>Releases prior to 2.0.8</li> + </ul> + </p> + <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p> + + <p> + <b>Solution</b> + </p> + <p> + <ul> + <li>Syncope 1.2.x users should upgrade to 1.2.11</li> + <li>Syncope 2.0.x users should upgrade to 2.0.8</li> + </ul> + </p> + + <p> + <b>Mitigation</b> + </p> + <p>Do not assign report and template entitlements to any administrator.</p> + + <p> + <b>Fixed in</b> + </p> + <p> + <ul> + <li>Release 1.2.11</li> + <li>Release 2.0.8</li> + </ul> + </p> + + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321";>full CVE advisory</a>.</p> + </subsection> + + <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting"> + <p>An administrator with user search entitlements can recover sensitive security values using the + <code>fiql</code> and <code>orderby</code> parameters.</p> + + <p> + <b>Severity</b> + </p> + <p>Medium</p> + + <p> + <b>Affects</b> + </p> + <p> + <ul> + <li>Releases prior to 1.2.11</li> + <li>Releases prior to 2.0.8</li> + </ul> + </p> + <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p> + + <p> + <b>Solution</b> + </p> + <p> + <ul> + <li>Syncope 1.2.x users should upgrade to 1.2.11</li> + <li>Syncope 2.0.x users should upgrade to 2.0.8</li> + </ul> + </p> + + <p> + <b>Mitigation</b> + </p> + <p>Do not assign user search entitlements to any administrator.</p> + + <p> + <b>Fixed in</b> + </p> + <p> + <ul> + <li>Release 1.2.11</li> + <li>Release 2.0.8</li> + </ul> + </p> + + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322";>full CVE advisory</a>.</p> + </subsection> + <subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords"> <p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password is found. However, the password generation code is relying on insecure Random implementations, which means
