All security issues and mitigation actions#
Note
The content of this document is subject to change without notice as we take steps to address outstanding issues.
The following table displays an overview of known security issues, along
with their severity, and the corresponding mitigation actions to
implement.
It summarizes findings, proposed fixes, and mitigation actions
EclecticIQ takes on a continuous basis to address these security and
vulnerability issues detected in the platform and its components.
Legenda |
|
|---|---|
β |
The security issue is solved |
π |
The security issue is open, and a solution or a mitigation is either under investigation, or it is available. |
β οΈ |
The security issue is open, and no solution or mitigation is available yet. |
A solution or a mitigation is currently under development |
|
β² |
A solution or a mitigation is planned for a future product release. |
π |
Further research is in progress to assess the security issue. |
ID |
CVE |
Description |
Severity |
Status |
Affected versions |
|---|---|---|---|---|---|
N/A |
Bypassing report content sanitization using API calls allows possible SSRF and directory traversal |
3 - HIGH |
β 3.0.0 |
2.14.x and earlier. |
|
N/A |
HTML injection through title field of report entity when exporting to PDF |
2 - MEDIUM |
β 3.0.0 |
2.14.0 and earlier. |
|
N/A |
The public API allows users with only βread knowledge-packsβ permissions to delete knowledge packs. |
1 - LOW |
β 3.0.0 |
2.13.0 and earlier, with the public api v1.1.3 and earlier installed |
|
N/A |
Drop-down menus that render user-defined item names are vulnerable to stored XSS attacks |
3 - HIGH |
β 2.12.0, 2.11.3, 2.10.5 |
2.11.2 and earlier. |
|
CVE-2021-44832 |
Log4J β€2.17.0 is vulnerable to remote code execution through JDBCAppender if attacker can modify Log4J configuration. |
1 - LOW |
β Mitigated by Elasticsearch and Logstash defaults. |
2.11.1 and earlier; 2.10.4 and earlier; 2.9.4 and earlier. |
|
CVE-2021-23727 |
Celery β€5.2.1 is vulnerable to stored command injection |
2 - MEDIUM |
β 2.12.0 |
2.11.x and earlier |
|
|
Log4j versions earlier than 2.15 have a remote code execution vulnerability. EclecticIQ Endpoint Response Enterprise Edition has mitigations in place. Endpoint Response Community Edition is unaffected. |
0 - MITIGATED |
β Mitigated |
EclecticIQ Endpoint Response EE 3.0.1 and CE 3.0 |
|
|
Log4j versions earlier than 2.15 have a remote code execution vulnerability, affecting Logstash. Supersedes EIQ-2021-0016. |
3-HIGH |
β Fixed in IC versions 2.9.4, 2.10.4, 2.11.1. |
2.9.x β 2.11.0 (affects Logstash and Elasticsearch 7.9.1) Hosted Intelligence Center instances have implemented mitigations; see assessment. |
|
CVE-2021-44228 |
Superseded by EIQ-2021-0016-2. Log4j versions earlier than 2.15 have a remote code execution vulnerability. |
See EIQ-2021-0016-2 |
See EIQ-2021-0016-2 |
2.11.x β 2.9.x |
|
- |
Users with only modify workspace-comments and read workspace permissions can edit and delete comments in workspaces where they are set as a collaborator. |
2 - MEDIUM |
β² Planned for 2.11.0 |
2.10.x and earlier |
|
- |
Users with only modify workspaces permissions can add or remove collaborators on a workspace they have access to |
Low |
β Β 2.11.0 |
2.10.x and earlier |
|
- |
Users with only modify entities and read files permissions can access and export attachments from report entities they do not have access to. |
Medium |
β 2.11.0 |
2.10.x and earlier |
|
- |
Users with only modify tickets and read ticket-comments permissions can modify properties of a task object they can access to move and see task comments from tasks they should not have access to. |
Medium |
β Β 2.11.0 |
2.10.x and earlier |
|
- |
Users without direct assignment to a listed workspace can view details they should not see. |
Low |
β Β 2.11.0 |
2.10.x and earlier |
|
- |
Users with only modify files permissions can move files from their workspace to other workspaces they donβt have access to. |
Medium |
β Β 2.11.0 |
2.10.x and earlier |
|
- |
Users with only modify ticket-comments and read tickets permissions can edit and delete comments on a Task they are at least a stakeholder on. |
Medium |
β Β 2.11.0 |
2.10.x and earlier |
|
- |
Users without modify-users permissions can assign themselves administrator permissions by intercepting a specific request |
3 - MAJOR |
β Β 2.10.1 |
2.10.0 and earlier |
|
- |
Users could create entities in Source Groups indirectly assigned through Groups, instead of only being able to create entities in Groups they are directly assigned to. |
1 - LOW |
β Β 2.9.2 |
2.9.1 and earlier. |
|
- |
SVG file upload could allow cross-site scripting (XSS) |
2 - MEDIUM |
β 2.9.2 |
2.9.1 and earlier. |
|
- |
HTML injection through the GUI |
2 - MEDIUM |
β Β 2.9.2 |
2.9.1 and earlier. |
|
CairoSVG is vulnerable to regular expression denial of service |
2 - MEDIUM |
β Β 2.10.0 |
2.9.1 and earlier. |
||
PySAML2 improper verification of cryptographic signature |
2 - MEDIUM |
β Β 2.10.0 |
2.9.1 and earlier. |
||
Pillow is vulnerable to buffer overflow |
2 - MEDIUM |
β² Planned for 2.10.0 |
2.9.1 and earlier. |
||
- |
Platform users can edit work-in-progress (draft) forms by ID |
2 - MEDIUM |
β Β 2.9.1 |
2.9.0 and earlier. |