Skip to main content

 

 

 

 

 

 

 

 
 
OutSystems

Vulnerability RICT-2673

Template:OutSystems/Documentation_KB/ContentCollaboration
  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Overview

    OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the confidentiality, integrity, and availability of a development workstation.

    Vulnerability risk

    Base Score: 7.9 (High)

    Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

    Communication

    To understand the phases involved in the process, how, and when we communicate, check this article. This vulnerability is currently on the embargo phase.

    • Embargo phase: This vulnerability was first communicated to all customers on January 20, 2021.
    • Public disclosure: Full details on this vulnerability were published on 7 April, 2021.

    Vulnerability details

    A vulnerability was found in Integrated Studio where the connection responsible for downloading an upgrade package was being performed via insecure transport (HTTP), making it prone to spoofing that same package. Such could be leveraged for workstation infection.

    Components & stacks

    This vulnerability affects all OutSystems 11 Integration Studio versions.

    Protecting your OutSystems installation

    OutSystems issued release Development Environment 11.8.4 that addresses this vulnerability. All customers who have yet to update Integration Studio are strongly encouraged to do so.

    Workaround

    There is no workaround, we strongly advise you to update to the above mentioned versions.

    FAQs

    Question Answer
    By exploiting this vulnerability can an attacker access my data? Yes. By exploiting this vulnerability, an attacker will have access to data stored in your workstation.
    What do I need to do? Update your OutSystems Development Environment to the above-mentioned version.
    Who can I talk to about this? If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.
    • Was this article helpful?