CVE-2018-1322

Description

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

Affected products

• Apache Software Foundation / Apache SyncopeReleases prior to 1.2.11, Releases prior to 2.0.8 – Releases prior to 1.2.11, Releases prior to 2.0.8
• Apache Software Foundation / Apache SyncopeThe unsupported Releases 1.0.x, 1.1.x may be also affected. – The unsupported Releases 1.0.x, 1.1.x may be also affected.

References

• MISChttp://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting
• MISChttp://www.securityfocus.com/bid/103507
• EXPLOIThttps://www.exploit-db.com/exploits/45400/