Loading...

XML

Word

Printable

Details

Type: Bug Report
Resolution: Fixed
Priority: L3 - Default
Fix Version/s: 7.4.0, 7.3.3, 7.2.8, 7.4.0-alpha2
Affects Version/s: None
Component/s: engine
Labels:
None

Description

Problem description:
The user can include arbitrary EL expressions when executing task queries. These expressions could be used for malicious acts such as deleting things...

AT:

it is possible to toggle whether expressions in task queries are evaluated (such as taskAssigneeExpression); default: false
it is possible to toggle whether expressions in filters are evaluated; default: true
This (and other ways to submit server-side code such as process deployments) are documented in the user guide (e.g. scripting section); there are references to that section from the upgrade guide, REST API methods and the release notes

Reasoning:

it is possible to avoid remote code execution by setting both flags to false
with the default settings, only authenticated users who are authorized to create filters may define server-side expressions
it is no longer possible by default that any authenticated user can execute server-side expressions

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Issue Links

is related to

CAM-4598 Communicate security enhancements due to bug fix CAM-3915

Closed

CAM-4051 Add security warning about script execution to the docs

Closed

Activity

People

Assignee:: Matthijs

Reporter:: Daniel Meyer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/May/15 11:12 AM

Updated:: 29/Jan/16 5:04 PM

Resolved:: 23/Sep/15 9:44 AM

Security vulnerability due to the possibility to include EL in task queries