SummaryPossible remote code execution on intranet host system
Advisory Release Date

 

Product
  • Linchpin Theme
  • Linchpin Intranet Suite
Affected Versions

Linchpin Theme:

  • 2.24.0 and earlier

Linchpin Essentials:

  • 1.5.0
  • 1.4.x
  • 1.3.x

Linchpin Intranet Suite:

  • 4.1.0
  • 4.0.0 to 4.0.1
  • 3.4.0 to 3.4.4
  • 3.3.0 to 3.3.5
  • 3.2.4 and earlier
Fixed Versions

Linchpin Theme:

  • 2.24.1
  • 2.23.5
  • 2.22.3

Linchpin Essentials:

  • 1.5.1

Linchpin Intranet Suite:

  • 4.1.1
  • 4.0.2
  • 3.4.6

Problem

We were able to identify a security vulnerability in our Linchpin Theme app. The vulnerability allows any logged-in user, under tight conditions, to run any available software on the host system. This is a type of remote-code-execution attack.

This issue was recently discovered during an internal review. We have since fixed the affected functionalities and also analyzed our codebase across all apps for similar vulnerabilities.

All versions of the app Linchpin Theme up to and including 2.24.0 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 4.1.0.
All versions of the Linchpin Essentials app are affected by this vulnerability, up to and including version 1.5.0.

Severity

The vulnerability has been rated as Critical (9.9) according to the scale published under the Common Vulnerability Scoring System (CVSS v3.1).

Solution

Depending on the fact whether you use the Linchpin Theme app standalone or bundled as part of the Linchpin Intranet Suite or Linchpin Essentials, there are different paths to get to the right version of the Linchpin Theme that closes the gap mentioned.

Linchpin Theme

If you are using the Linchpin Theme app in one of the affected versions 2.24.0 or earlier, please immediately update to Linchpin Theme 2.24.1.

Linchpin Essentials

Please refer to the table below to determine the appropriate fix version.

Current version

Fix version

Linchpin Essentials 1.5.01.5.1

For versions prior to the 1.5.0 line, we recommend updating to the latest supported version of Linchpin Essentials available for your Confluence system.

Should you be unable to update Linchpin Essentials to the listed version, please reach out to our support team at https://seibert.biz/help.

Linchpin Intranet Suite

Please refer to the table below to determine the appropriate fix version. Please note: These versions also contain patches for two additional vulnerabilities in the apps Linchpin Events and Linchpin Enterprise News, respectively.

Current version

Fix version

Linchpin Intranet Suite 4.1.04.1.1
Linchpin Intranet Suite 4.0.0 to 4.0.14.0.2

Linchpin Intranet Suite 3.4.0 to 3.4.5

3.4.6

For versions prior to the 3.4 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.


Due to a bug in Confluence you might face challenges after an update. This results in parts of the Theme not working properly. For more information please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base.

This content was last updated on 02/19/2021.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.

Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.