CVE-2018-1322
MEDIUM4.9EPSS 6.7%Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope
Published: 11/6/2018Modified: 3/4/2024
Description
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can recover sensitive security values using the fiql and orderby parameters.
Affected packages (1)
- Maven/org.apache.syncope:syncope-corefrom 0, < 1.2.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-v3vf-2r98-xw8w
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1322
- PATCHhttps://github.com/apache/syncope
- WEBhttps://github.com/apache/syncope/commit/44a5ca0fbd357b8b5d81aa9313fb01cca30d8ad
- WEBhttps://github.com/apache/syncope/commit/735579b6f987b407049ac1f1da08e675d957c3e
- WEBhttps://www.exploit-db.com/exploits/45400
- WEBhttp://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting
- WEBhttp://www.securityfocus.com/bid/103507