Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope · CVE-2018-1322 · GitHub Advisory Database · GitHub

Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope

Moderate severity GitHub Reviewed Published Nov 6, 2018 to the GitHub Advisory Database • Updated Mar 4, 2024

Package

org.apache.syncope:syncope-core (Maven)

Affected versions

< 1.2.11

>= 2.0.0, < 2.0.8

Patched versions

1.2.11

2.0.8

Description

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can recover sensitive security values using the fiql and orderby parameters.

References

Published to the GitHub Advisory Database Nov 6, 2018

Reviewed Jun 16, 2020

Last updated Mar 4, 2024

Severity

Moderate

4.9

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N