OutSystems became aware of a vulnerability that, if exploited, may allow an attacker to compromise the Availability and Integrity of the data handled and stored by the OutSystems Platform.
The exploitation of this vulnerability will not compromise the Confidentiality of your data.
This vulnerability affects all supported platform stacks.
Base Score: 7.2 (High)
Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
To understand the phases involved in the process, how and when we communicate, check this article.
- Embargo phase: This vulnerability was first communicated to all customers on December 12, 2019
- Public disclosure: Full details on this vulnerability were disclosed in March 2020.
This vulnerability resides in the Upload widget. By exploiting this vulnerability, an unauthenticated attacker would be able to upload arbitrary files to the platform.
In some cases, this attack may consume the available database space causing a Denial of Service, corrupt legit data if files are being processed asynchronously or even deny access to the legit uploaded files.
Protecting your OutSystems Platform
OutSystems has issued new releases of the Platform Server to address this vulnerability.
OutSystems will update all cloud infrastructures to version 10.0.1021.0 or to Release OCT.19 CP6, depending on their current version.
All customers who have yet to update their Platform servers are strongly encouraged to do so.
This vulnerability is fixed for version 10.0.1019.0 and all subsequent versions.
The vulnerability is fixed on Release OCT.19 CP4 and all subsequent versions.
There is no workaround, we strongly advise to update to the above mentioned versions.
|By exploiting this vulnerability can an attacker access my data?||No. By exploiting this vulnerability an attacker will be able to compromise the integrity and availability of the data but not the confidentiality.|
|Has this vulnerability been exploited in the wild?||OutSystems does not have any evidence that this vulnerability has been exploited in the wild or that any customer has been affected by it.|
|What do I need to do?||Update your OutSystems Platform to the above-mentioned version that applies. For Cloud Customers, OutSystems will update the platform for you.|
|Will OutSystems share any more information about this vulnerability?||All the details that can be shared were already disclosed in this article.|
|Who can I talk to about this?||If you have any questions, contact your Customer Success Manager. If you don’t have one, contact us via our support channels.|
Vulnerability reported by Joshua Provoste.