Vulnerability Description
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Syncope | >= 1.2.0, < 1.2.11 |
Related Weaknesses (CWE)
References
- http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_viMitigationVendor Advisory
- http://www.securityfocus.com/bid/103507Third Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45400/Third Party AdvisoryVDB Entry
- http://syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_viMitigationVendor Advisory
- http://www.securityfocus.com/bid/103507Third Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45400/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2018-1322?
CVE-2018-1322 is a vulnerability with a CVSS score of 4.9 (MEDIUM). An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive sec...
How severe is CVE-2018-1322?
CVE-2018-1322 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1322?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Syncope.