Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: OpenPNE 3, opWebAPIPlugin, opOpenSocialPlugin -- XXE vulnerability fix
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 11 Sep 2013 14:45:54 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 11:03 PM, Kousuke Ebihara wrote:
Hi,

I'm a member of OpenPNE security handling team.

We've released our OSS product, OpenPNE 3, opWebAPIPlugin and
opOpenSocialPlugin to fix XXE vulnerability.

Whould you assign CVEs to them?

1. OpenPNE 3 XXE Vulnerabilities Affects: 3.8.7, 3.6.11, 3.4.21.1,
3.2.7.6, 3.0.8.5 Fixed: 3.8.7.1, 3.6.11.1, 3.4.21.2, 3.2.7.7,
3.0.8.6 Commit:
https://github.com/openpne/OpenPNE3/commit/6147099848185a82a18d1ba8aa84e69a7eadfcba


Security Advisory: http://www.openpne.jp/archives/12091/
Original reporter of this vulnerability: Kousuke Ebihara

Access Vector: Network exploitable Access Complexity: Low 
Authentication: Not required to exploit Impact Type: Allows
unauthorized disclosure of information; Allows unauthorized
modification; Allows disruption of service

Please use CVE-2013-4333 for this issue.

2. opWebAPIPlugin XXE Vulnerabilities Affects: 0.5.1, 0.4.0, 0.1.0 
Fixed: 0.5.1.1, 0.4.0.1, 0.1.0.1 Commit:
https://github.com/ebihara/opWebAPIPlugin/commit/8820a4a8d7b8c8fbfa4533cc5645f371d454ca5b


Security Advisory: http://www.openpne.jp/archives/12091/
Original reporter of this vulnerability: Kousuke Ebihara

Access Vector: Network exploitable Access Complexity: Low 
Authentication: Not required to exploit Impact Type: Allows
unauthorized disclosure of information; Allows unauthorized
modification; Allows disruption of service

Please use CVE-2013-4334 for this issue.

3. opOpenSocialPlugin XXE Vulnerabilities Affects: 0.8.2.1,
0.9.9.2, 0.9.13, 1.2.6 Fixed: 0.8.2.2, 0.9.9.3, 0.9.13.1, 1.2.6.1 
Commit:
https://github.com/openpne-ospt/opOpenSocialPlugin/commit/a19c02997cf3045ad18b57c14a05465bfb3ae88c


Security Advisory: http://www.openpne.jp/archives/12091/
Original reporter of this vulnerability: Kousuke Ebihara

Access Vector: Network exploitable Access Complexity: Low 
Authentication: Not required to exploit Impact Type: Allows
unauthorized disclosure of information; Allows unauthorized
modification; Allows disruption of service

Please use CVE-2013-4335 for this issue.

Thanks, Kousuke



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSMNaBAAoJEBYNRVNeJnmTPpUP/RHcEUpXO/xpUzn+Pa2O+Zwu
E7pJ7UYaGgxbjKXLhiFd6GiAhcNk/b1fWPJp1vtqHTSsgx9Ev6RGqy+UCdTnoD5O
mPOoueo3mc1uKlTdCOkaiYZaEw5NERMrFB6me+1Gbsy71lBrIaEoE867udMgtcRZ
tkV/C6H2UoGxV/4DH8sBIA/RxS0YDdzH2u/yVM/ituxYql6yLuCT1/eX1T4V6GCY
HrSxhd/nX3QJD0Orcd9G3+LoLHgSF1QkWUZ8r9d6DvlspwlDiIQA7+SCOmYt7O3c
kqiNp51xHkkCGTfQVscGiHlWBuTKY40jFPJp7Bfm2LW1KNFsQVbywLfC1W7UuHIY
B7N1QendnIUdvi/X9PLyjsmTjzhQu6+axdvta3gEKfR1Uxc1xaNprPppi8TKuZqp
Bx8uC1YwVseHow2W66kEjlKQ+H1amoiSGQzNUle2zoEv2DdKlJYpSFiaU3O2Lz8C
dzzzjnzxXXJY0AqOIIhnQ0CPKvro47enAGgnk2vnOMhvL7qabBGvFb4AxkPCwtPr
HpIr5i5BNxYuVsA+DAXwVWaWNPdRM6adUfJF0PbDojylU39cB4eVmDb/D8h86DW8
H/9H8Enk50AGWARQ86JCpNC6+2I9EcxGhsaLU31JdGhjmajEU6pZLhI/2qL7/YlC
1o1T3J7ooYbAGcYPxRqR
=u5Lj
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault