Mindbreeze InSpire Vulnerabilities

This page lists known security vulnerabilities found in Mindbreeze InSpire. The article titles contain the Mindbreeze issue number and, in the case of third-party software, the official CVE number. Information about the affected components, severity level, current status and how to prevent the issue as well as hotfix information if applicable, can be found on the detail pages. You can also use the full text search to find specific vulnerabilities.

If you have found a possible security vulnerability, please contact Mindbreeze InSpire Support at support@mindbreeze.com providing detailed information about the problem found.

Vulnerabilities

SharePoint Online Connector does not process Role Updates correctly (MINDBREEZE17003)

ID: MINDBREEZE17003 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 4.1 Medium Status: Final First published: March 2, 2021 Summary Using the SharePoint Online connector with the Option "Enable Delta Crawl" active (enabled by default), changes to SharePoint user roles (Role Updates) are not processed correctly. This can lead to Document ACLs being out of date.

OpenSSL Security Update (MINDBREEZE16594)

ID: MINDBREEZE16594 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 5.9 Medium Status: Final First published: February 2, 2021 CVEs: CVE-2020-1971 Summary OpenSSL: EDIPARTYNAME NULL pointer de-reference could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Remediation Hotfix Information

Removed Legacy Versions of Javascript Libraries: jQuery and RequireJS (MINDBREEZE16269)

ID: MINDBREEZE16269 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 6.1 Medium Status: Final First published: February 2, 2021 CVEs: CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023 Summary Removing this legacy Libraries fixes the following CVEs:

Javascript Library Bootstrap and JQuery Security Update (MINDBREEZE16267)

ID: MINDBREEZE16267 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 6.1 Medium Status: Final First published: February 2, 2021 CVEs: CVE-2018-14040, CVE-2018-1404, CVE-2018-14042, CVE-2019-8331, CVE-2020-11022, CVE-2020-11023, CVE-2015-9251, CVE-2019-11358, CVE-2012-6708 Summary Bootstrap and JQuery update contains fixes for te following CVEs:

FilterPlugin.Batik (SVG) Image Library Batik Security Update (MINDBREEZE16264)

ID: MINDBREEZE16264 Affected Components: Mindbreeze Inspire G6, Mindbreeze Inspire G7, Mindbreeze InSpire SaaS Severity: 7.5 High Status: Final First published: February 2, 2021 CVEs: CVE-2019-17566 Summary The Mindbreeze ImageIO Filter is using Apache Batik to filter SVGs, which is vulnerable to server-side request forgery, caused by improper input validation. Remediation Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

XML Library Xalan Security Update (MINDBREEZE16261)

ID: MINDBREEZE16261 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 7.5 High Status: Final First published: February 2, 2021 CVEs: CVE-2014-0107 Summary The Apache Xalan TransformerFactory does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources. Remediation Hotfix Information

Encryption Library Bouncycastle Security Update (MINDBREEZE16259)

ID: MINDBREEZE16259 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 7.5 High Status: Final First published: February 2, 2021 CVEs: CVE-2016-1000338, CVE-2016-1000341, CVE-2020-26939, CVE-2016-1000342 Summary The Bouncy Castle Update contains fixes for the following CVEs:

Kernel and GRUB Security Update (MINDBREEZE15809)

ID: MINDBREEZE15809 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 8.2 Moderate Status: Final First published: February 2, 2021 CVEs: CVE-2020-10713, CVE-2020-14308, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, CVE-2019-19527, CVE-2019-19537, CVE-2020-8647, CVE-2020-12826, CVE-2020-11565, CVE-2020-10732, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698 Summary The Kernel and GRUB Update contains fixes for the following CVEs:

Administator only: Hidden files accessible if URL is known (MINDBREEZE15801)

ID: MINDBREEZE15801 Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7 Severity: 6.1 Medium Status: Final First published: February 2, 2021 Summary The Filemanager Component, requiring administrative privileges by default does not show system files. By knowing the exact file name the files can be displayed. Remediation Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

InSpire MMC user with "InSpire Index Writer" role is able to update Configuration (MINDBREEZE15601)

ID: MINDBREEZE15601 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 6.2 Medium Status: Final First published: February 2, 2021 Summary Privileged Role "InSpire Index Writer" is able to perform configuration posts that the index writer does not have access. Remediation Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 20.5 Release (Version 20.5.1.835) Mindbreeze InSpire SaaS 20.5 Release (Version 20.5.1.835)