Difference between revisions of "SVG:Advisory-SVG-2014-7553"
Jump to navigation
Jump to search
imported>Cornwall |
|
(No difference)
|
Latest revision as of 14:41, 13 August 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-7553
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2014-7553] Title: EGI SVG Advisory 'High' Risk - Dirac SQL injection vulnerability [EGI-SVG-2014-7553] Date: 2015-05-13 Updated: 2015-08-13 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7553 Introduction ============ An SQL injection vulnerability has been found in Dirac, which is exploitable by any authorized user and allows proxy theft. This has been fixed by the developers. Update 13th August 2015 Changed to 'White' information - this is now the production version. Details ======= An SQL injection vulnerability has been found in Dirac, which allows an authorized user to steal long lived proxies from other clients in the same Dirac server, possibly including clients in other VOs. This allows the possibility of tampering with data, and impersonation of another user. An exploit has been written by the reporter, and the developers confirmed that this vulnerability exists as described. Risk category ============= This issue has been assessed as 'High' Risk by the EGI SVG Risk Assessment Team. Affected software ================= Dirac versions prior to v6r13 This vulnerability is fixed in Dirac v6r13 Mitigation ========== N/A Component installation information ================================== See [R 1] Recommendations =============== Sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. References ========== [R 1] https://github.com/DIRACGrid/DIRAC/wiki Timeline ======== Yyyy-mm-dd 2014-10-14 Vulnerability reported by Simon Fayer from SVG 2014-10-27 Software providers responded and involved in investigation 2014-11-07 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-05-08 Updated packages available 2015-05-13 Advisory sent to sites 2015-08-13 Updated as fixed version is now the production version and placed on wiki