Skip to content

Injection in Apache Syncope

High severity GitHub Reviewed Published Jun 16, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven org.apache.syncope:syncope-core (Maven)

Affected versions

>= 2.0.0, < 2.0.15
>= 2.1.0, < 2.1.6

Patched versions

2.0.15
2.1.6

Description

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.

References

Published by the National Vulnerability Database May 4, 2020
Reviewed May 25, 2021
Published to the GitHub Advisory Database Jun 16, 2021
Last updated Feb 1, 2023

Severity

High

EPSS score

0.105%
(44th percentile)

Weaknesses

CVE ID

CVE-2020-1961

GHSA ID

GHSA-4w4p-xwrr-9crh

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.