Page tree
Skip to end of metadata
Go to start of metadata
Summary"Web Feed" macro could be used for XML bombings
Advisory Release Date

 

Product
  • Linchpin Enterprise News
  • Linchpin Intranet Suite

Affected Versions

Linchpin Enterprise News:

  • 2.13.1 and earlier

Linchpin Intranet Suite:

  • 3.4.0 to 3.4.2
  • 3.3.0 to 3.3.4
  • 3.2.3 and earlier
Fixed Versions

Linchpin Enterprise News:

  • 2.13.3

Linchpin Intranet Suite:

  • 3.4.3
  • 3.3.5
  • 3.2.4

Problem

We were able to identify a security vulnerability in our Linchpin Enterprise News app. The vulnerability allows any logged-in user to run a so-called billion laughs attack using the "Web Feed" macro. This is a type of denial-of-service attack which is aimed at XML parsers.

This issue was recently discovered as part of our internal quality assurance process. We have since fixed the affected library that was in use, and also analyzed our codebase for similar vulnerabilities.

All versions of the app Linchpin Enterprise News up to and including 2.13.1 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 3.4.2.

Severity

The vulnerability has been rated as Medium (6.5) according to the scale published under the Common Vulnerability Scoring System (CVSS).

Solution

Depending on the fact whether you use the Linchpin Enterprise News app standalone or bundled as part of the Linchpin Intranet Suite, there are different paths to get to the right version of the Linchpin Enterprise News app that closes the gap mentioned.

Linchpin Enterprise News

If you are using the Linchpin Enterprise News app in one of the affected versions 2.13.1 or earlier, please immediately update to Linchpin Enterprise News version 2.13.3.

Linchpin Intranet Suite

Please refer to the table below to determine the appropriate fix version.

Current version

Fix version

Linchpin Intranet Suite 3.4.0 to 3.4.2

3.4.3
Linchpin Intranet Suite 3.3.0 to 3.3.43.3.5
Linchpin Intranet Suite 3.2.3 and earlier3.2.4

For versions prior to the 3.2 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs

  1. Restart Confluence (only necessary if the update is already hanging)
  2. Uninstall the app "Linchpin User Profiles (Content Responsibility)".
  3. Uninstall the app "Linchpin User Profiles".
  4. Install the app "Linchpin Intranet Suite" again.


Link to this page: https://seibert.biz/kbsecuritynotice107

  • No labels