In this security bulletin we bring you information on new security-related developments at Sitecore.
We are reporting a Critical vulnerability (SC2019-001-302938), for which there is a fix available.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
https://kb.sitecore.net/articles/608800
Versions affected
Vulnerability SC2019-001-302938 affects all versions of Sitecore XP 8.2, all versions of XP 9.0, and Initial Release of XP 9.1.
Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.), which are exposed to the internet and have the pages under /sitecore/admin path accessible to Sitecore users.
A hotfix/patch is available for all affected Sitecore XP versions.
Versions not affected
Sitecore CMS/XP versions 6.3—8.1 are not vulnerable.
Sitecore xDB Cloud environments are not affected.
Apply the following patch (compatible with all affected versions): Sitecore.Support.302938-9.0.1.1
Note: see the readme.html file inside the archive for installation instructions.