CVE-2014-0111 – org.apache.syncope:syncope

Package

Manager: maven
Name: org.apache.syncope:syncope
Vulnerable Version: >=1.0.0 <1.0.9 || >=1.1.0 <1.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01067 pctl0.76867

Details

Apache Syncope JEXL Code Injection Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

Metadata

Created: 2022-05-14T01:18:38Z
Modified: 2023-08-16T22:09:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r2xf-w5pj-9pw8/GHSA-r2xf-w5pj-9pw8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-r2xf-w5pj-9pw8
Finding: F422
Auto approve: 1