Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-1322

CWE-200Information Exposure6 documents6 sources
Severity
4.9MEDIUM
EPSS
6.7%
top 8.73%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache SyncopeApache Software Foundation Apache Syncope
Timeline
PublishedMar 20
Latest updateNov 6

Description

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

NVDapache/syncope1.2.01.2.11+18
Mavenorg.apache.syncope:syncope-core2.0.02.0.8+1
CVEListV5apache_software_foundation/apache_syncopeReleases prior to 1.2.11, Releases prior to 2.0.8, The unsupported Releases 1.0.x, 1.1.x may be also affected.+1

🔴Vulnerability Details

3
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope2018-11-06
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache syncope-cope2018-11-06
CVEList
CVE-2018-1322: An administrator with user search entitlements in Apache Syncope 12018-03-20

💥Exploits & PoCs

1
Exploit-DB
Apache Syncope 2.0.7 - Remote Code Execution2018-09-13

💬Community

1
Bugzilla
CVE-2016-8750 karaf: LDAP injection in LDAPLoginModule2017-12-11
CVE-2018-1322 (MEDIUM CVSS 4.9) | An administrator with user search e | cvebase.io