www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiricc├▓ <ilgro...@apache.org>
Subject [SECURITY] CVE-2018-1321: Remote code execution by administrators with report and template entitlements
Date Tue, 20 Mar 2018 07:24:10 GMT
CVE-2018-1321: Remote code execution by administrators with report and 
template entitlements

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
* Releases prior to 1.2.11
* Releases prior to 2.0.8

The unsupported Releases 1.0.x, 1.1.x may be also affected.

Description:
An administrator with report and template entitlements can use XSL 
Transformations (XSLT) to perform malicious operations, including but 
not limited to file read, file write, and code execution.

Solution:
Syncope 1.2.x users upgrade to 1.2.11.
Syncope 2.0.x users upgrade to 2.0.8.

Mitigation:
Do not assign report and template entitlements to any administrator.

Credit:
This issue was discovered by ´╗┐Che-Chun Kuo.

References:
[1] http://syncope.apache.org/security.html



Mime
View raw message