sympa-community.github.io

Incubating the new Sympa documentation site

2020-003 Defects in the access restriction of Sympa SOAP/HTTP interface

The Sympa Community 2021-01-06 (Update)

Synopsis

A fix is available for defects in the access restriction of Sympa SOAP/HTTP interface.

Systems Affected

Problem Description

Defects has been discovered in authenticateAndRun call of Sympa SOAP/HTTP interface by which access restriction can be bypassed, and therefore these things are allowed:

As a result, any SOAP call can be executed.

For more details see References.

This problem does not apply to environments where the SOAP/HTTP server (sympa_soap_server.fcgi) is not running.

Impact

Attacker can execute any SOAP call by privileges of any Sympa accounts.

Workarounds

Solution

or, if you have installed Sympa using earlier version of source distribution,

CVE Numbers

CVE-2020-29668

References

Acknowledgements

The security flaw was initially reported by Stefan Brenner.

Change log

CC BY-SA 4.0 Unless otherwise specified, the contents of this document are licensed under the Creative Commons - Attribution - ShareAlike license. For more details see LICENSE and AUTHORS.

Theme originally designed by orderedlist