Discussion:
[SECURITY] CVE-2018-17186 Apache Syncope
(too old to reply)
Francesco Chicchiriccò
2018-11-06 09:05:59 UTC
Permalink
CVE-2018-17186: XXE on BPMN definitions

Description:
An administrator with workflow definition entitlements can use DTD to
perform malicious operations, including but not limited to file read,
file write, and code execution.

Severity: Medium

Vendor: The Apache Software Foundation

Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11

The unsupported Releases 1.2.x may be also affected.

Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2

Mitigation:
Do not assign workflow definition entitlements to any administrator.

Credit:
This issue was discovered by Kevin Borras Soler and Joan Bono.

References:
https://syncope.apache.org/security

Loading...