Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Please refer to the main version of this file in: https://github.com/Alfresco/acs-packaging

October 2021

The latest releases of Alfresco products alfresco-content-services and Share User Interface contains fixes of three security vulnerabilities, two of them have been reported by external security researchers, see the credits below.

The first issue reported was an evasion in the XSS prevention filter used to validate HTML input coming from the client's browser. The XSS prevention filter have been replaced with the specialized library from OWASP: Java HTML Sanitizer https://github.com/OWASP/java-html-sanitizer/ likely preventing other possible future evasions being discovered. This issue was assigned provisional number CVE-2021-41791 Cross-Site Scripting (XSS). Affected versions include:

  • org.alfresco:share - versions from (including) 5.0.x.x up to (including) 5.2.7.11
  • org.alfresco:share - versions from (including) 6.0.x.x up to (including) 6.2.2.4
  • org.alfresco:community-share - prior to (including) 7.0
  • org.alfresco:share - versions from (including) 6.1.x.x up to (including) 6.1.1.2
  • org.alfresco:share -versions from (including) 6.0.x.x up to (including) 6.0.1.2
  • org.alfresco:share - versions 7.0.1 , 7.0.0.2 , 7.0.0.1 , 7.0

The second issue fixed was in the business logic around script execution. Additional validation was implemented preventing edge cases that could lead to an escalation of privileges in the sanboxed script execution itself. This issue was assigned provisional number CVE-2021-41790. Affected versions include:

  • org.alfresco:alfresco-content-services - versions from (including) 5.0.x.x up to (including) 5.2.7.11
  • org.alfresco:alfresco-content-services - versions from (including) 6.0.0.x up to (including) 6.0.1.9
  • org.alfresco:alfresco-content-services - versions from (including) 6.1.0.x up to (including) 6.1.1.10
  • org.alfresco:alfresco-content-services - versions from (including) 6.2.0.x up to (including) 6.2.2.18
  • org.alfresco:alfresco-content-services - versions 7.0.0.2 , 7.0.0.1 , 7.0
  • org.alfresco:alfresco-content-services - versions from (including) 7.0.1.0 up to (including) 7.0.1.2

The third issue fixed is a Blind SSRF that could be executed through a specific document format transformation. The issue has been fixed by disabling the specific tranformation through configuration. This issue was assigned provisional number CVE-2021-41792. Affected versions include:

  • org.alfresco:alfresco-content-services - versions from (including) 5.0.x.x up to (including) 5.2.7.11
  • org.alfresco:alfresco-content-services - versions from (including) 6.0.0.x up to (including) 6.0.1.9
  • org.alfresco:alfresco-content-services - versions from (including) 6.1.0.x up to (including) 6.1.1.10
  • org.alfresco:alfresco-content-services - versions from (including) 6.2.0.x up to (including) 6.2.2.18
  • org.alfresco:alfresco-transform-services - prior to (including) 1.3

Credits:

For CVE-2021-41790 and CVE-2021-41791 we want to thank Jack Misiura and Stefano Lanaro at The Missing Link Australia for reporting them and to professionally collaborate in the controlled disclosure. All the above issues were discovered during security testing and so far we do not have any evidence that they have ever been attempted to be exploited in a production environment.