Security Updates: Apostrophe 3.63.2 released

[boutell]

A fix for a significant security vulnerability has just been released as Apostrophe 3.63.2. All developers should npm update and deploy their Apostrophe 3.x projects to ensure they have this fix. Legacy 2.x projects are unaffected.

The fix in question addresses a serious security risk in which arbitrary methods of Apostrophe modules could be called over the network, without arguments, and the results returned to the caller.

While the lack of arguments mitigates the data exfiltration risk, it is possible for the right payload to cause data loss. Therefore this is an urgent upgrade for all Apostrophe 3.x users.

In addition, we addressed two minor security issues:

• We removed an API no longer in use which was able to generate iframe markup for any URL. There was no risk of server-side data exfiltration with this API but it did represent a low-level SSRF risk.
• We removed an unused, obsolete API route which could be used to trigger a crash and restart, e.g. it posed a denial of service risk.

We’d like to thank the Michelin penetration test red team for the thorough analysis that led to the discovery of these three issues. No other issues were reported by the penetration test team.