cnvd - cnvd-2018-22660

CNVD-2018-22660

Vulnerability from cnvd - Published: 2018-11-07

Title

Apache Syncope跨站脚本漏洞

Description

Apache Syncope是一个用于管理企业环境中的数字身份的开源系统，采用Java EE技术实现，并在Apache 2.0许可下发布。 Apache Syncope存在存储型跨站脚本漏洞。具有足够管理权限的恶意用户可利用该漏洞将包含JavaScript语句的类似html的元素注入到Connector名称、Report名称、AnyTypeClass键及Policy描述中，当具有足够管理权限的其他用户通过管理控制台编辑上述实体之一时，注入的JavaScript代码将被执行。

Severity

中

Patch Name

Apache Syncope跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions

Reference

https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions

Impacted products

Name
['Apache Syncope <2.0.11', 'Apache Syncope <2.1.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-17184"
    }
  },
  "description": "Apache Syncope\u662f\u4e00\u4e2a\u7528\u4e8e\u7ba1\u7406\u4f01\u4e1a\u73af\u5883\u4e2d\u7684\u6570\u5b57\u8eab\u4efd\u7684\u5f00\u6e90\u7cfb\u7edf\uff0c\u91c7\u7528Java EE\u6280\u672f\u5b9e\u73b0\uff0c\u5e76\u5728Apache 2.0\u8bb8\u53ef\u4e0b\u53d1\u5e03\u3002\n\nApache Syncope\u5b58\u5728\u5b58\u50a8\u578b\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5177\u6709\u8db3\u591f\u7ba1\u7406\u6743\u9650\u7684\u6076\u610f\u7528\u6237\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u5305\u542bJavaScript\u8bed\u53e5\u7684\u7c7b\u4f3chtml\u7684\u5143\u7d20\u6ce8\u5165\u5230Connector\u540d\u79f0\u3001Report\u540d\u79f0\u3001AnyTypeClass\u952e\u53caPolicy\u63cf\u8ff0\u4e2d\uff0c\u5f53\u5177\u6709\u8db3\u591f\u7ba1\u7406\u6743\u9650\u7684\u5176\u4ed6\u7528\u6237\u901a\u8fc7\u7ba1\u7406\u63a7\u5236\u53f0\u7f16\u8f91\u4e0a\u8ff0\u5b9e\u4f53\u4e4b\u4e00\u65f6\uff0c\u6ce8\u5165\u7684JavaScript\u4ee3\u7801\u5c06\u88ab\u6267\u884c\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-22660",
  "openTime": "2018-11-07",
  "patchDescription": "Apache Syncope\u662f\u4e00\u4e2a\u7528\u4e8e\u7ba1\u7406\u4f01\u4e1a\u73af\u5883\u4e2d\u7684\u6570\u5b57\u8eab\u4efd\u7684\u5f00\u6e90\u7cfb\u7edf\uff0c\u91c7\u7528Java EE\u6280\u672f\u5b9e\u73b0\uff0c\u5e76\u5728Apache 2.0\u8bb8\u53ef\u4e0b\u53d1\u5e03\u3002\r\n\r\nApache Syncope\u5b58\u5728\u5b58\u50a8\u578b\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u5177\u6709\u8db3\u591f\u7ba1\u7406\u6743\u9650\u7684\u6076\u610f\u7528\u6237\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u5305\u542bJavaScript\u8bed\u53e5\u7684\u7c7b\u4f3chtml\u7684\u5143\u7d20\u6ce8\u5165\u5230Connector\u540d\u79f0\u3001Report\u540d\u79f0\u3001AnyTypeClass\u952e\u53caPolicy\u63cf\u8ff0\u4e2d\uff0c\u5f53\u5177\u6709\u8db3\u591f\u7ba1\u7406\u6743\u9650\u7684\u5176\u4ed6\u7528\u6237\u901a\u8fc7\u7ba1\u7406\u63a7\u5236\u53f0\u7f16\u8f91\u4e0a\u8ff0\u5b9e\u4f53\u4e4b\u4e00\u65f6\uff0c\u6ce8\u5165\u7684JavaScript\u4ee3\u7801\u5c06\u88ab\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Syncope\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Syncope \u003c2.0.11",
      "Apache Syncope \u003c2.1.2"
    ]
  },
  "referenceLink": "https://syncope.apache.org/security#CVE-2018-17186:_XXE_on_BPMN_definitions",
  "serverity": "\u4e2d",
  "submitTime": "2018-11-07",
  "title": "Apache Syncope\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2018-17184 (GCVE-0-2018-17184)

Vulnerability from cvelistv5 – Published: 2018-11-06 19:00 – Updated: 2024-09-17 02:52

Summary

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

Severity ?

No CVSS data available.

CWE

Information Disclosure

Assigner

apache

References

URL

Tags

https://syncope.apache.org/security#CVE-2018-1718…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Syncope	Affected: Apache Syncope releases prior to 2.0.11 and 2.1.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:39:59.596Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Syncope",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
            }
          ]
        }
      ],
      "datePublic": "2018-11-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-06T18:57:01",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "2018-11-06T00:00:00",
          "ID": "CVE-2018-17184",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Syncope",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Syncope releases prior to 2.0.11 and 2.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS",
              "refsource": "MISC",
              "url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-17184",
    "datePublished": "2018-11-06T19:00:00Z",
    "dateReserved": "2018-09-19T00:00:00",
    "dateUpdated": "2024-09-17T02:52:18.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-22660

CVE-2018-17184 (GCVE-0-2018-17184)

Tags

Sightings

Nomenclature