Описание
Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can recover sensitive security values using the fiql and orderby parameters.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-1322
- https://github.com/apache/syncope/commit/44a5ca0fbd357b8b5d81aa9313fb01cca30d8ad
- https://github.com/apache/syncope/commit/735579b6f987b407049ac1f1da08e675d957c3e
- https://github.com/advisories/GHSA-v3vf-2r98-xw8w
- https://www.exploit-db.com/exploits/45400
- http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting
- http://www.securityfocus.com/bid/103507
Пакеты
Наименование
org.apache.syncope:syncope-core
maven
Затронутые версииВерсия исправления
< 1.2.11
1.2.11
Наименование
org.apache.syncope:syncope-core
maven
Затронутые версииВерсия исправления
>= 2.0.0, < 2.0.8
2.0.8
Связанные уязвимости
CVSS3: 4.9
nvd
почти 8 лет назад
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.