CVE-2020-1959

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-1959

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1959.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-1959

Aliases

GHSA-vjqw-r3ww-wj2w

Published

2020-05-04T13:15:13Z

Modified

2024-09-03T03:21:01.937453Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.

References

http://syncope.apache.org/security

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type: GIT
Repo: https://github.com/apache/syncope
Events: Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Fixed

a1200e18daccb3deebcdaaf91c965596df10cab7

Affected versions

syncope-2.*

syncope-2.1.0

syncope-2.1.1

syncope-2.1.2

syncope-2.1.3

syncope-2.1.4

syncope-2.1.5