We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-3915

Security vulnerability due to the possibility to include EL in task queries

    • Icon: Bug Report Bug Report
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • 7.4.0, 7.3.3, 7.2.8, 7.4.0-alpha2
    • None
    • engine
    • None

      Problem description:
      The user can include arbitrary EL expressions when executing task queries. These expressions could be used for malicious acts such as deleting things...

      AT:

      • it is possible to toggle whether expressions in task queries are evaluated (such as taskAssigneeExpression); default: false
      • it is possible to toggle whether expressions in filters are evaluated; default: true
      • This (and other ways to submit server-side code such as process deployments) are documented in the user guide (e.g. scripting section); there are references to that section from the upgrade guide, REST API methods and the release notes

      Reasoning:

      • it is possible to avoid remote code execution by setting both flags to false
      • with the default settings, only authenticated users who are authorized to create filters may define server-side expressions
      • it is no longer possible by default that any authenticated user can execute server-side expressions

        This is the controller panel for Smart Panels app

            Loading...
            Uploaded image for project: 'camunda BPM'
            1. camunda BPM
            2. CAM-3915

            Security vulnerability due to the possibility to include EL in task queries

              • Icon: Bug Report Bug Report
              • Resolution: Fixed
              • Icon: L3 - Default L3 - Default
              • 7.4.0, 7.3.3, 7.2.8, 7.4.0-alpha2
              • None
              • engine
              • None

                Problem description:
                The user can include arbitrary EL expressions when executing task queries. These expressions could be used for malicious acts such as deleting things...

                AT:

                • it is possible to toggle whether expressions in task queries are evaluated (such as taskAssigneeExpression); default: false
                • it is possible to toggle whether expressions in filters are evaluated; default: true
                • This (and other ways to submit server-side code such as process deployments) are documented in the user guide (e.g. scripting section); there are references to that section from the upgrade guide, REST API methods and the release notes

                Reasoning:

                • it is possible to avoid remote code execution by setting both flags to false
                • with the default settings, only authenticated users who are authorized to create filters may define server-side expressions
                • it is no longer possible by default that any authenticated user can execute server-side expressions

                  This is the controller panel for Smart Panels app

                        matthijs.burke Matthijs
                        meyer Daniel Meyer
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        3 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                              matthijs.burke Matthijs
                              meyer Daniel Meyer
                              Votes:
                              0 Vote for this issue
                              Watchers:
                              3 Start watching this issue

                                Created:
                                Updated:
                                Resolved: