CVE-2018-1322
Summary
| CVE | CVE-2018-1322 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-03-20 17:29:00 UTC |
| Updated | 2019-03-08 15:15:00 UTC |
| Description | An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Syncope | All | All | All | All |
| Application | Apache | Syncope | 1.0.0 | All | All | All |
| Application | Apache | Syncope | 1.0.3 | All | All | All |
| Application | Apache | Syncope | 1.0.4 | All | All | All |
| Application | Apache | Syncope | 1.0.5 | All | All | All |
| Application | Apache | Syncope | 1.0.6 | All | All | All |
| Application | Apache | Syncope | 1.0.7 | All | All | All |
| Application | Apache | Syncope | 1.0.8 | All | All | All |
| Application | Apache | Syncope | 1.0.9 | All | All | All |
| Application | Apache | Syncope | 1.1.0 | All | All | All |
| Application | Apache | Syncope | 1.1.1 | All | All | All |
| Application | Apache | Syncope | 1.1.2 | All | All | All |
| Application | Apache | Syncope | 1.1.3 | All | All | All |
| Application | Apache | Syncope | 1.1.4 | All | All | All |
| Application | Apache | Syncope | 1.1.5 | All | All | All |
| Application | Apache | Syncope | 1.1.6 | All | All | All |
| Application | Apache | Syncope | 1.1.7 | All | All | All |
| Application | Apache | Syncope | 1.1.8 | All | All | All |
| Application | Apache | Syncope | All | All | All | All |
| Application | Apache | Syncope | 1.0.0 | All | All | All |
| Application | Apache | Syncope | 1.0.3 | All | All | All |
| Application | Apache | Syncope | 1.0.4 | All | All | All |
| Application | Apache | Syncope | 1.0.5 | All | All | All |
| Application | Apache | Syncope | 1.0.6 | All | All | All |
| Application | Apache | Syncope | 1.0.7 | All | All | All |
| Application | Apache | Syncope | 1.0.8 | All | All | All |
| Application | Apache | Syncope | 1.0.9 | All | All | All |
| Application | Apache | Syncope | 1.1.0 | All | All | All |
| Application | Apache | Syncope | 1.1.1 | All | All | All |
| Application | Apache | Syncope | 1.1.2 | All | All | All |
| Application | Apache | Syncope | 1.1.3 | All | All | All |
| Application | Apache | Syncope | 1.1.4 | All | All | All |
| Application | Apache | Syncope | 1.1.5 | All | All | All |
| Application | Apache | Syncope | 1.1.6 | All | All | All |
| Application | Apache | Syncope | 1.1.7 | All | All | All |
| Application | Apache | Syncope | 1.1.8 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Syncope 2.0.7 - Remote Code Execution - Windows webapps Exploit | EXPLOIT-DB | www.exploit-db.com | Third Party Advisory, VDB Entry |
| Apache Syncope – Security Advisories | MISC | syncope.apache.org | Mitigation, Vendor Advisory |
| Apache Syncope CVE-2018-1322 Multiple Information Disclosure Vulnerabilities | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980866 Java (maven) Security Update for org.apache.syncope:syncope-core (GHSA-v3vf-2r98-xw8w)