Skip to Content.
Sympa Menu

grouper-dev - [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3

Subject: Grouper Developers Forum

List archive

[grouper-dev] Important! Grouper Security Advisories in API/UI v2.3


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: " Mailing List" <>, "" <>, "" <>
  • Subject: [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3
  • Date: Tue, 21 Aug 2018 06:20:11 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:h6KZmhaS976FvEDXlzZpu/j/LSx+4OfEezUN459isYplN5qZps6yYR7h7PlgxGXEQZ/co6odzbaO7Oa4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahY75+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhpgBwzIHPbY6PKPZyYrnQcc8GSWZfWMtaSixPApm7b4sKF+cNM+RWron8plQQtxuyHRSnCf3vyj9Sh3/2xqM22PkmHAHDwAMgH9IPsXXKo9XvL6oSUPu1w7XSwTXed/NZxzH96I7Sfh8/vP6MQKt9fMzMwkchEAPFi0+fqY3jPz6N1+QNtXSb4PR6VeKplWEntx99riKxycgxl4nEgJ8exFPc9Shh3oo6P8G0RFN+bNK5DZdcqiSXN4V5T88+X21lvSQ3xaMJtJGleSUHzYorywLeZvCfboSF7A7vWPyVLDtlnn5pZq+zihKo/US9yODxV9G40FhUoSdGjtXBs3UA2wLQ58SbVvRw+1mt1iqT2A3Q7+xJI0Q5mrbUJpMk3rE8iIYfvEvFEyTrgkv5lrWWeV8h+uWw6+TofLHmppiEOoFslgzwNbgil8OmDeklKgYDUXGX+eOn27L950H5R6hKjuEtnanerZDaI9kUqrShAw9P1YYj9wiwACu60NQZmnkHKkhJeBWaj4j1P1HOJ/f4DfSlj1uwlzdrwujKPrznAprTMnjOiKntcqxh50JBzQc/0M1T649RB7EPL///RlP9udnaAxAnPAG73ePqBdBj2o8CWG+DGqqZP7nTsV+M6OIvOe6MZIoNtTb4N/cl5/7vjH4nll8HZqSp3IAXZ2yiEvR7O0WWf3zsgtEbHWgUowU+UfTmiEeeXj5Le3ayQ6U86yk0CIK8CofDW5itj6Kb3CuiA51WfX5JCkqXEXrzc4WEWuwMaD6JIsN/iDAEVL6hS5M/2hG0sg/11aZnIvTO9iIGqJ3jycB/5/fPmhEq6Tx0E8Od3nmCT2FumWMIWic2075loUBk11iMz7Z4judcFdxS/PNJThw6OYDGw+x7DdDyRhzOfs2PSFm4XtWqHys9QcwszN8Te0x9Acmtjgjf3yq2BL8Yj7OLBIYz8qLBx3j+Odx9x2/c26kniVkmRdZPNWu6iaFh7AXTA4/Jk16Fl6axa6gQxi/N9GGfzWWQpkFYVhB/UbnbUXwFeETZsMn5tQv+SOrkBq4gLxNM04ufMaZQcfXoi0lLXvHuJI6Ybm6s00K5BBKJwLzESIvxZy9ViCrHD1UcnhpW4G2LLxMWByG9rnjYASA0U1/jfhWouaNxsnSmVkIuig2HcWVg0aa44BgYmabaRv8OlPpQtz0mti15BhOx0sz+CtycqhBncbkGJ94x/QEDnSjWrQtgJpG6aqlkgFkDdQ96l0LoyxhtDIhcy44noG5ghF59M6WFyF5bMjqe25ftPLbaAmj04B21baPKgBfT3MvAqYkV7/Ft4XXyrgyzUgIJ829myJMdh36X5oTYARA6UIn6FFsv+h584bzWf39utMvvyXRwPPzs4Xf50NUzCb59kEzydspDMK6CCA75GtEbAM7rMuExhly1dUxYbvtK+vsyOMWrP7ud1ainMfwovQrujH8PoeUfmlmJ6zI6T+fJ25gfxPTN2wCHRiXxln+gqcuxhJhJYzdUE2aimmDp
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

#1

 

Grouper audits can show more information than a user should be able to see.

 

Grouper UI v2.3 patch 44 is affected.   You need this patch fix if you have UI patch #44 installed.

 

GRP-1875: subject audits should only be seen by grouper admins

 

Reproduce by logging in as a non root user, pull up a subject in the new UI, see their audits.  You might be able to see more than you should.  Refresh, quickly, related to other security advisory.

 

Fixed in 2.3.0 UI patch #47.  This is a low risk patch which requires root  (READONLY root or all root) so see audits for users.

 

#2

 

Group finder flash cache can return results if attempted multiples times in quick succession.

 

Grouper API v2.3 patch 96 is affected.  You need this patch fix if you have API patch #96 installed.

 

GRP-1876: flash cache in groups can allow subjects to view (not read) objects with quick subsequent requests

 

Reproduce this by attempting to VIEW a group (not read) by WS or something in the UI, multiple times in quick succession.  You will see the group after the first call does not show it.

 

Fixed in 2.3.0 API patch #109.  This is a low risk patch which corrects this issue.

 

Thanks to Shilen for finding these while testing the 2.4.0 release… These are fixed in 2.4.0 when it is released.

 

Thanks

Chris



  • [grouper-dev] Important! Grouper Security Advisories in API/UI v2.3, Hyzer, Chris, 08/21/2018

Archive powered by MHonArc 2.6.19.

Top of Page