GHSA-r2xf-w5pj-9pw8

Source

https://github.com/advisories/GHSA-r2xf-w5pj-9pw8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r2xf-w5pj-9pw8/GHSA-r2xf-w5pj-9pw8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r2xf-w5pj-9pw8

Aliases

CVE-2014-0111

Published

2022-05-14T01:18:38Z

Modified

2024-11-29T05:41:03.197659Z

Summary

Apache Syncope JEXL Code Injection

Details

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

Database specific

{
    "nvd_published_at": "2014-04-17T14:55:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T22:09:18Z"
}

References

Affected packages

Maven / org.apache.syncope:syncope

Package

Name: org.apache.syncope:syncope; View open source insights on deps.dev
Purl: pkg:maven/org.apache.syncope/syncope

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.9

Affected versions

1.*

1.0.0-incubating

1.0.1-incubating

1.0.2-incubating

1.0.3-incubating

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

Maven / org.apache.syncope:syncope

Package

Name: org.apache.syncope:syncope; View open source insights on deps.dev
Purl: pkg:maven/org.apache.syncope/syncope

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.7

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6