The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2016-11033"
Jump to navigation
Jump to search
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG Advisory [TLP:WHITE] 'High' Risk Arbitrary file overwrite vulnerability in WebAppDIRAC | |||
[EGI-SVG-2016-11033] | |||
Date: 2016-05-25 | |||
Updated: | |||
Affected Software and Risk | |||
======================= | |||
HIGH risk vulnerability concerning Arbitrary file overwrite in WebAppDIRAC | |||
Package : WebApp DIRAC | |||
Actions Required/Recommended | |||
============================ | |||
Sites are recommended to update relevant components as soon as possible if they have not already | |||
installed a non-vulnerable version. | |||
Affected software Details. | |||
======================= | |||
Versions of DIRAC prior to v6r14p31 are affected. | |||
More information | |||
================ | |||
There is the possibility of unauthenticated remote code execution, but it is probably hard for an | |||
attacker to find and it is not clear how many sites are have a vulnerable configuration. | |||
The file uploading feature on which this vulnerability is based was removed from the DIRAC WebApp | |||
project starting from v6r14p31 version release. | |||
Component installation information | |||
================================== | |||
See [R 1] | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11033 | |||
Minor updates may be made without re-distribution to the sites | |||
Credit | |||
====== | |||
This vulnerability was reported by Simon Fayer from Imperial College, London. | |||
References | |||
========== | |||
[R 1] https://github.com/DIRACGrid/DIRAC/wiki | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2016-11033] | |||
2016-05-06 Vulnerability reported by Simon Fayer who is a member of SVG. | |||
2016-05-09 Software providers confirmed they are aware of this issue and already | |||
working on its resolution | |||
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting. | |||
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2016-05-19 Software providers stated that the issue has already been fixed in current production | |||
version, and gave version number | |||
2016-05-25 Advisory/Alert sent to sites | |||
2016-06-08 Advisory placed on the wiki | |||
</pre> | </pre> | ||
Latest revision as of 10:42, 8 June 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11033
Title: EGI SVG Advisory [TLP:WHITE] 'High' Risk Arbitrary file overwrite vulnerability in WebAppDIRAC
[EGI-SVG-2016-11033]
Date: 2016-05-25
Updated:
Affected Software and Risk
=======================
HIGH risk vulnerability concerning Arbitrary file overwrite in WebAppDIRAC
Package : WebApp DIRAC
Actions Required/Recommended
============================
Sites are recommended to update relevant components as soon as possible if they have not already
installed a non-vulnerable version.
Affected software Details.
=======================
Versions of DIRAC prior to v6r14p31 are affected.
More information
================
There is the possibility of unauthenticated remote code execution, but it is probably hard for an
attacker to find and it is not clear how many sites are have a vulnerable configuration.
The file uploading feature on which this vulnerability is based was removed from the DIRAC WebApp
project starting from v6r14p31 version release.
Component installation information
==================================
See [R 1]
TLP and URL
===========
** WHITE information - Unlimited distribution **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11033
Minor updates may be made without re-distribution to the sites
Credit
======
This vulnerability was reported by Simon Fayer from Imperial College, London.
References
==========
[R 1] https://github.com/DIRACGrid/DIRAC/wiki
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-11033]
2016-05-06 Vulnerability reported by Simon Fayer who is a member of SVG.
2016-05-09 Software providers confirmed they are aware of this issue and already
working on its resolution
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting.
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers
2016-05-19 Software providers stated that the issue has already been fixed in current production
version, and gave version number
2016-05-25 Advisory/Alert sent to sites
2016-06-08 Advisory placed on the wiki