[<prev] [next>] [day] [month] [year] [list]
Message-Id: <032C189E-D821-4833-A8F2-F72365147695@apache.org>
Date: Fri, 11 Feb 2011 01:21:00 +1100
From: Brett Porter <brett@...che.org>
To: users@...tinuum.apache.org
Cc: announce@...che.org,
Apache Security Response Team <security@...che.org>,
dev@...tinuum.apache.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability
CVE-2010-3449: Apache Continuum CSRF vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.
Description:
Administrators are able to change any user's password, but the
source of the request is not verified, making the behaviour
susceptible to CSRF.
Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7
Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066010
Credit:
This issue was discovered by Anatolia Security Research Group
References:
http://continuum.apache.org/security.html
--
Brett Porter
brett@...che.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
Powered by blists - more mailing lists