Lucene search

K
cve[email protected]CVE-2018-1322
HistoryMar 21, 2018 - 12:00 a.m.

CVE-2018-1322

2018-03-2100:00:00
CWE-200
web.nvd.nist.gov
56
cve-2018-1322
apache syncope
user search entitlements
security vulnerability
information security

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

5.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

54.7%

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

Affected configurations

NVD
Node
apachesyncopeRange1.2.01.2.11
OR
apachesyncopeRange2.0.02.0.8
OR
apachesyncopeMatch1.0.0
OR
apachesyncopeMatch1.0.3
OR
apachesyncopeMatch1.0.4
OR
apachesyncopeMatch1.0.5
OR
apachesyncopeMatch1.0.6
OR
apachesyncopeMatch1.0.7
OR
apachesyncopeMatch1.0.8
OR
apachesyncopeMatch1.0.9
OR
apachesyncopeMatch1.1.0
OR
apachesyncopeMatch1.1.1
OR
apachesyncopeMatch1.1.2
OR
apachesyncopeMatch1.1.3
OR
apachesyncopeMatch1.1.4
OR
apachesyncopeMatch1.1.5
OR
apachesyncopeMatch1.1.6
OR
apachesyncopeMatch1.1.7
OR
apachesyncopeMatch1.1.8

CNA Affected

[
  {
    "product": "Apache Syncope",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Releases prior to 1.2.11, Releases prior to 2.0.8"
      },
      {
        "status": "affected",
        "version": "The unsupported Releases 1.0.x, 1.1.x may be also affected."
      }
    ]
  }
]

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

5.2 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

54.7%