CVE-2018-1321
Summary
| CVE | CVE-2018-1321 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-03-20 17:29:00 UTC |
| Updated | 2019-04-25 18:07:00 UTC |
| Description | An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Syncope | All | All | All | All |
| Application | Apache | Syncope | 1.0.0 | All | All | All |
| Application | Apache | Syncope | 1.0.4 | All | All | All |
| Application | Apache | Syncope | 1.0.5 | All | All | All |
| Application | Apache | Syncope | 1.0.6 | All | All | All |
| Application | Apache | Syncope | 1.0.7 | All | All | All |
| Application | Apache | Syncope | 1.0.8 | All | All | All |
| Application | Apache | Syncope | 1.0.9 | All | All | All |
| Application | Apache | Syncope | 1.1.0 | All | All | All |
| Application | Apache | Syncope | 1.1.1 | All | All | All |
| Application | Apache | Syncope | 1.1.2 | All | All | All |
| Application | Apache | Syncope | 1.1.3 | All | All | All |
| Application | Apache | Syncope | 1.1.4 | All | All | All |
| Application | Apache | Syncope | 1.1.5 | All | All | All |
| Application | Apache | Syncope | 1.1.6 | All | All | All |
| Application | Apache | Syncope | 1.1.7 | All | All | All |
| Application | Apache | Syncope | 1.1.8 | All | All | All |
| Application | Apache | Syncope | 1.2.0 | milestone1 | All | All |
| Application | Apache | Syncope | All | All | All | All |
| Application | Apache | Syncope | 1.0.0 | All | All | All |
| Application | Apache | Syncope | 1.0.4 | All | All | All |
| Application | Apache | Syncope | 1.0.5 | All | All | All |
| Application | Apache | Syncope | 1.0.6 | All | All | All |
| Application | Apache | Syncope | 1.0.7 | All | All | All |
| Application | Apache | Syncope | 1.0.8 | All | All | All |
| Application | Apache | Syncope | 1.0.9 | All | All | All |
| Application | Apache | Syncope | 1.1.0 | All | All | All |
| Application | Apache | Syncope | 1.1.1 | All | All | All |
| Application | Apache | Syncope | 1.1.2 | All | All | All |
| Application | Apache | Syncope | 1.1.3 | All | All | All |
| Application | Apache | Syncope | 1.1.4 | All | All | All |
| Application | Apache | Syncope | 1.1.5 | All | All | All |
| Application | Apache | Syncope | 1.1.6 | All | All | All |
| Application | Apache | Syncope | 1.1.7 | All | All | All |
| Application | Apache | Syncope | 1.1.8 | All | All | All |
| Application | Apache | Syncope | 1.2.0 | milestone1 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Syncope – Security Advisories | MISC | syncope.apache.org | Mitigation, Vendor Advisory |
| Apache Syncope 2.0.7 - Remote Code Execution - Windows webapps Exploit | EXPLOIT-DB | www.exploit-db.com | Third Party Advisory, VDB Entry |
| Apache Syncope CVE-2018-1321 Multiple Remote Code Execution Vulnerabilities | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980791 Java (maven) Security Update for org.apache.syncope:syncope-core (GHSA-xgc9-9w4v-h33h)