Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-3915

Security vulnerability due to the possibility to include EL in task queries

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 7.4.0, 7.3.3, 7.2.8, 7.4.0-alpha2
    • None
    • engine
    • None

      Problem description:
      The user can include arbitrary EL expressions when executing task queries. These expressions could be used for malicious acts such as deleting things...

      AT:

      • it is possible to toggle whether expressions in task queries are evaluated (such as taskAssigneeExpression); default: false
      • it is possible to toggle whether expressions in filters are evaluated; default: true
      • This (and other ways to submit server-side code such as process deployments) are documented in the user guide (e.g. scripting section); there are references to that section from the upgrade guide, REST API methods and the release notes

      Reasoning:

      • it is possible to avoid remote code execution by setting both flags to false
      • with the default settings, only authenticated users who are authorized to create filters may define server-side expressions
      • it is no longer possible by default that any authenticated user can execute server-side expressions

        This is the controller panel for Smart Panels app

              matthijs.burke Matthijs
              meyer Daniel Meyer
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: