Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR3NHAteHdyci05Y3Jo
Injection in Apache Syncope
Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.
Permalink: https://github.com/advisories/GHSA-4w4p-xwrr-9crhJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR3NHAteHdyci05Y3Jo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4w4p-xwrr-9crh, CVE-2020-1961
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1961
- http://syncope.apache.org/security
- https://github.com/advisories/GHSA-4w4p-xwrr-9crh
Affected Packages
maven:org.apache.syncope:syncope-core
Versions: >= 2.1.0, < 2.1.6, >= 2.0.0, < 2.0.15Fixed in: 2.1.6, 2.0.15