| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Feb 2011 01:21:00 +1100 From: Brett Porter <brett@...che.org> To: users@...tinuum.apache.org Cc: announce@...che.org, Apache Security Response Team <security@...che.org>, dev@...tinuum.apache.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability CVE-2010-3449: Apache Continuum CSRF vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Continuum 1.3.6 Continuum 1.4.0 (Beta) The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. Description: Administrators are able to change any user's password, but the source of the request is not verified, making the behaviour susceptible to CSRF. Mitigation: Continuum 1.3.6 and earlier users should upgrade to 1.3.7 Continuum 1.4.0 (Beta) users should apply the following patch: http://svn.apache.org/viewvc?view=revision&revision=1066010 Credit: This issue was discovered by Anatolia Security Research Group References: http://continuum.apache.org/security.html -- Brett Porter brett@...che.org http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter
Powered by blists - more mailing lists