Page tree
Skip to end of metadata
Go to start of metadata

Summary

Vulnerabilities have been announced in CakePHP, the framework used by COmanage Registry. Details of these vulnerabilities have not yet been announced. Framework versions earlier than 2.7.6 are affected, which means all versions of Registry prior to 1.0.0, including the 1.0.0 release candidates, are likely to be affected.

Severity

The severity of these vulnerabilities is not yet known.

Exposure

The exposure from these vulnerabilities is not yet known.

Recommended Mitigation

Upgrade to COmanage Registry v1.0.0 or later.

Alternate Mitigations

COmanage Registry v0.9.4 was released using CakePHP 2.7.1. It may be possible to drop in CakePHP 2.7.6 or a later 2.7.x release without needing to upgrade to Registry v1.0.0, however this has not been tested.

COmanage Registry v0.9.2 and v0.9.3 were released using CakePHP 2.6.1. It may be possible to drop in CakePHP 2.6.12 or a later 2.6.x release without needing to upgrade to Registry v1.0.0, however this has not been tested.

Older Registry versions were released using older CakePHP releases. Framework deprecations and other semi-incompatible changes are likely to complicate a similar "drop in replacement" approach.

Discussion

As details of the vulnerabilities have not yet been announced, not much can be said about the exact impact. The safest approach is to upgrade as soon as practical to an unaffected version. As details about the vulnerabilities have not yet been released, it is not yet clear what the earliest affected version is.

  • No labels