CVE-2025-57738
- Source
- https://cve.org/CVERecord?id=CVE-2025-57738
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-57738.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-57738
- Aliases
- Published
- 2025-10-20T15:15:33.553Z
- Modified
- 2026-04-10T05:31:09.696278Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
- References
Affected packages
Git / github.com/apache/syncope
Affected versions
syncope-2.*
syncope-2.1.0
syncope-3.*
syncope-3.0.0
syncope-3.0.0-M0
syncope-3.0.0-M1
syncope-3.0.0-M2
syncope-3.0.1
syncope-3.0.10
syncope-3.0.11
syncope-3.0.12
syncope-3.0.13
syncope-3.0.2
syncope-3.0.3
syncope-3.0.4
syncope-3.0.5
syncope-3.0.6
syncope-3.0.7
syncope-3.0.8
syncope-3.0.9
syncope-4.*
syncope-4.0.0
syncope-4.0.1