OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the availability and integrity of the data handled and stored by the OutSystems Platform.
This vulnerability affects all supported platform stacks.
Base Score: 7.6 (High)
Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L
To understand the phases involved in the process, how and when we communicate, check this article.
- Embargo phase: This vulnerability was first communicated to all customers on December 12, 2019
- Public disclosure: Full details on this vulnerability were disclosed on March 2020
This vulnerability resides in the mechanism used by the OutSystems Platform to validate developer permissions. By exploiting this vulnerability, a Developer with the "Reuse & Monitor" role is able to use the advanced query feature of Service Studio to corrupt or delete the data in the database.
Protecting your OutSystems Platform
For OutSystems Cloud OutSystems updated all infrastructures of version 10 to the release 10.0.1020.0 and those of version 11 to Release OCT.19 CP5.
OutSystems issued new releases of the Platform Server that address this vulnerability. All customers who have yet to update their Platform servers are strongly encouraged to do so.
This vulnerability is fixed for version 10.0.1016.0 and all subsequent versions.
The vulnerability is fixed on Release OCT.19 CP4
There is no workaround, we strongly advise to update to the above mentioned releases.
|By exploiting this vulnerability can an attacker access my data?||No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform Server to the above-mentioned version that applies.|
|Will OutSystems share any more information about this vulnerability?||All the details that can be shared were already disclosed in this article.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|