Summary
As part of a routine code review, a potential vulnerability was discovered affecting Registry versions 0.9.1 through 1.0.5. More details of this issue will provided in mid February.
Severity
The severity of this vulnerability will vary according to a given configuration, but will likely be High or Very High for most deployments.
Exposure
The exposure from this vulnerability is expected to be very low, as it is unlikely that this vulnerability has been exploited. Furthermore, in most versions (especially 0.9.4 and later) simple checks are likely to be available to determine if any exploit occurred.
Recommended Mitigation
Upgrade to COmanage Registry v1.0.6 or later.
Deployments using the develop branch may pull the latest code from that branch.
Alternate Mitigations
The project will be unable to provide any support or patches for earlier versions. Due to the way the fix was implemented, it is non-trivial to backport.
Discussion
More details of this issue will provided in mid February.