CVE-2020-1961

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-1961

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1961.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-1961

Aliases

GHSA-4w4p-xwrr-9crh

Published

2020-05-04T13:15:14Z

Modified

2024-09-03T03:21:05.523478Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.

References

http://syncope.apache.org/security

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type: GIT
Repo: https://github.com/apache/syncope
Events: Introduced

973afc777d2f8093785875c62e808d97334fb2e3

Fixed

ed7a41d182bd30cc9881e1a39da2d7a1658a6067

Affected versions

syncope-2.*

syncope-2.0.0

syncope-2.0.1

syncope-2.0.10

syncope-2.0.11

syncope-2.0.12

syncope-2.0.13

syncope-2.0.14

syncope-2.0.2

syncope-2.0.3

syncope-2.0.4

syncope-2.0.5

syncope-2.0.6

syncope-2.0.7

syncope-2.0.8

syncope-2.0.9