Apache Syncope JEXL Code Injection

2022-05-1401:18:38

Google

osv.dev

0.002 Low

EPSS

Percentile

62.2%

JSON

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, “derived schema definition,” “user / role templates,” and “account links of resource mappings.”

CPENameOperatorVersion
org.apache.syncope:syncopeeq1.0.1-incubating
org.apache.syncope:syncopeeq1.0.2-incubating
org.apache.syncope:syncopeeq1.1.2
org.apache.syncope:syncopeeq1.1.3
org.apache.syncope:syncopeeq1.0.6
org.apache.syncope:syncopeeq1.1.4
org.apache.syncope:syncopeeq1.0.4
org.apache.syncope:syncopeeq1.0.8
org.apache.syncope:syncopeeq1.1.5
org.apache.syncope:syncopeeq1.1.1

Name	Operator	Version
org.apache.syncope:syncope	eq	1.0.1-incubating
org.apache.syncope:syncope	eq	1.0.2-incubating
org.apache.syncope:syncope	eq	1.1.2
org.apache.syncope:syncope	eq	1.1.3
org.apache.syncope:syncope	eq	1.0.6
org.apache.syncope:syncope	eq	1.1.4
org.apache.syncope:syncope	eq	1.0.4
org.apache.syncope:syncope	eq	1.0.8
org.apache.syncope:syncope	eq	1.1.5
org.apache.syncope:syncope	eq	1.1.1