www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiricc├▓ <ilgro...@apache.org>
Subject [SECURITY] CVE-2018-17186 Apache Syncope
Date Tue, 06 Nov 2018 09:05:59 GMT
CVE-2018-17186: XXE on BPMN definitions

Description:
An administrator with workflow definition entitlements can use DTD to 
perform malicious operations, including but not limited to file read, 
file write, and code execution.

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11

The unsupported Releases 1.2.x may be also affected.

Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2

Mitigation:
Do not assign workflow definition entitlements to any administrator.

Credit:
This issue was discovered by ´╗┐Kevin Borras Soler and Joan Bono.

References:
https://syncope.apache.org/security





Mime
View raw message