Description

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

Remediation

References

http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting

http://www.securityfocus.com/bid/103507

https://www.exploit-db.com/exploits/45400/

Related Vulnerabilities

CVE-2019-1003005 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2015-7501 Vulnerability in maven package commons-collections:commons-collections

CVE-2022-34870 Vulnerability in maven package org.apache.geode:geode-pulse

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-drill

CVE-2019-10080 Vulnerability in maven package org.apache.nifi:nifi-lookup-services-bundle

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Tags

Mitigation Vendor Advisory Third Party Advisory VDB Entry