CVE-2020-1959 – org.apache.syncope:syncope-core

Package

Manager: maven
Name: org.apache.syncope:syncope-core
Vulnerable Version: >=0 <2.1.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01649 pctl0.81297

Details

Expression Language Injection in Apache Syncope A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.

Metadata

Created: 2021-06-16T17:18:58Z
Modified: 2021-07-29T16:57:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vjqw-r3ww-wj2w/GHSA-vjqw-r3ww-wj2w.json
CWE IDs: ["CWE-917"]
Alternative ID: GHSA-vjqw-r3ww-wj2w
Finding: F004
Auto approve: 1