OX Documents 7.10.5 Improper Authorization

2021.07.21
Credit: Martin Heiland
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2021-28093 | CVE-2021-28094 | CVE-2021-28095
CWE: CWE-285

Product: OX Documents Vendor: OX Software GmbH Internal reference: DOCS-3199 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: imageconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev14, 7.10.4-rev8, 7.10.5-rev5 Vendor notification: 2021-01-26 Solution date: 2021-02-16 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28093 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Converted images are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (Adler32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Image content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two image files that would generate the same hash key 2. Upload both files 3. View Image A 4. View Image B - The content of Image A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions. --- Internal reference: DOCS-3200 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev34, 7.10.4-rev20, 7.10.5-rev7 Vendor notification: 2021-01-26 Solution date: 2021-02-15 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28094 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Converted documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two document files that would generate the same hash key 2. Upload both files 3. View document A 4. View document B - The content of document A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions. --- Internal reference: DOCS-3201 Vulnerability type: Improper Authorization (CWE-285) Vulnerable version: 7.10.5 and earlier Vulnerable component: office Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev10, 7.10.4-rev8, 7.10.5-rev5 Vendor notification: 2021-01-26 Solution date: 2021-02-15 Public disclosure: 2021-07-19 CVE reference: CVE-2021-28095 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Vulnerability Details: Documents are cached for faster processing when requesting the same resource again. This cache used a weak mechanisms (CRC32) to create cache keys, vulnerable accidental or purposeful hash colissions. Risk: Document content could be swapped by hash key colissions, resulting in a loss of confidentiality or integrity. Steps to reproduce: 1. Create two documents that contain XML structures which create a hash collision 2. Upload both files 3. Edit document A 4. Edit document B - The content of document A will be served from the cache Solution: We now use a hashing algorithm (SHA-256) that is not prone to hash collissions.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top