CVE-2018-1322

4.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Syncope
Vendor: CVE Published:; 20 March 2018

Summary

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

Affected Version(s)

Apache Syncope Releases prior to 1.2.11, Releases prior to 2.0.8

Apache Syncope The unsupported Releases 1.0.x, 1.1.x may be also affected.

References

http://syncope.apache.org/security.html#CVE-2018-1322:_In...

x_refsource_MISC

http://www.securityfocus.com/bid/103507

vdb-entryx_refsource_BID

https://www.exploit-db.com/exploits/45400/

exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2018
Vulnerability Reserved
Dec 7, 2017

.