[midPoint] Security Advisory: Plain text password in task objects in repository

[Radovan Semancik]

Date: 14 Jun 2019
Severity: Low (CVSS 3.7)
Affected versions: all released midPoint versions since 3.7
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.3 (unreleased)

Description

Cross-site scripting (XSS) vulnerability exists in some parts of 
midPoint user interface, namely in organization displayName.

Severity and Impact

Malicious user can execute arbitrary scripts (e.g. Java Script) as part 
of midPoint web-based user interface. This vulnerability exists in 
displayName for all multi-value containers, including name of the 
organization/organizational unit. Exploiting this vulnerability requires 
administrative privileges, therefore severity and impact of this 
vulnerability is low.

Mitigation

Users of affected MidPoint versions are advised to upgrade their 
deployments to the latest builds from the support branches.
As this is a low severity issue, it is not forcing official maintenance 
releases of midPoint. However, the fix is provided in all the support 
branches.

Discussion and Explanation

MIdPoint user interface is based on Apache Wicket web framework. Proper 
use of Wicket web framework protects against most XSS-related 
vulnerabilities. However, one part of midPoint code was using the Wicket 
framework improperly, therefore opening XSS vulnerability. The 
vulnerability could be exploited by fabricating displayName of 
organizational unit, or in fact any display name of a multi-value container.

Credit

This issue was reported by tester known as Jespert123 by the means of 
EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+XSS+Vulnerability+In+displayName

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190614/553058ab/attachment.htm>