Regarding OC 10.7 Vulnerability: CVE-2021-29659

HMIT · July 26, 2021, 12:51pm

It was noticed that there is a recent CVE regarding OC 10.7.
https://www.cvedetails.com/cve/CVE-2021-29659/
Would anyone please advise if the CVE had been dealt with?

I have searched and found that the CVE was recognized by OC in the following entry.

However, in the above entry, it only mentioned that “The enumeration mitigation is now properly enforced.”, but it didn’t mention how should the mitigation be enforced on an OC 10.7 server.

Would anyone please share more info. regarding the CVE? Perhaps it had already been fixed in the latest 10.7 release?

Thanks!

alfredb · July 26, 2021, 1:28pm

Due to a bug in the related api endpoint the attacker can enumerate all users in a single request by entering three whitespaces.

This is still working on 10.7, but seems to be fixed in 10.8.

HMIT · July 26, 2021, 1:40pm

Thanks alfredb for your reply.
As the current “production build” was still 10.7 (10.8 is tagged as stable, but not production), is there any workaround available for to mitigate the risk without upgrading to 10.8?
Thanks!

alfredb · July 26, 2021, 1:48pm

None that I know of. You could ask the devs for a patch.

system · October 24, 2021, 1:48pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.