Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMnhmLXc1cGotOXB3OM4AAT02
Apache Syncope JEXL Code Injection
Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."
Permalink: https://github.com/advisories/GHSA-r2xf-w5pj-9pw8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMnhmLXc1cGotOXB3OM4AAT02
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
Identifiers: GHSA-r2xf-w5pj-9pw8, CVE-2014-0111
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-0111
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201404.mbox/%[email protected]%3E
- http://syncope.apache.org/security.html
- https://web.archive.org/web/20201208163011/http://www.securityfocus.com/archive/1/531841/100/0/threaded
- https://github.com/advisories/GHSA-r2xf-w5pj-9pw8
Affected Packages
maven:org.apache.syncope:syncope
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 1.1.0, < 1.1.7, >= 1.0.0, < 1.0.9
Fixed in: 1.1.7, 1.0.9
All affected versions: 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6
All unaffected versions: 1.0.9, 1.1.7, 1.1.8, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6