2021-02-19 Vulnerability notification: Linchpin Enterprise News and Linchpin Intranet Suite

Problem

We were able to identify a security vulnerability in our Linchpin Enterprise News app. The vulnerability allows any logged-in user, under tight conditions, to run any available software on the host system. This is a type of remote-code-execution attack.

This issue was recently discovered during an internal security audit. We have since fixed the affected functionalities and also analyzed our codebase across all apps for similar vulnerabilities.

All versions of the app Linchpin Enterprise News up to and including 2.15.0 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 4.1.0.

Severity

The vulnerability has been rated as Critical (9.9) according to the scale published under the Common Vulnerability Scoring System (CVSS v3.1).

Solution

Depending on the fact whether you use the Linchpin Enterprise News app standalone or bundled as part of the Linchpin Intranet Suite, there are different paths to get to the right version of the Linchpin Enterprise News that closes the gap mentioned.

Linchpin Enterprise News

If you are using the Linchpin Enterprise News app in one of the affected versions 2.15.0 or earlier, please immediately update to Linchpin Enterprise News 2.15.2.

Linchpin Intranet Suite

Please refer to the table below to determine the appropriate fix version. Please note: These versions also contain patches for two additional vulnerabilities in the apps Linchpin Theme and Linchpin Events, respectively.

For versions prior to the 3.4 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.