Description

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1.X releases prior to 2.1.6, enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution (RCE) was discovered.

Remediation

References

http://syncope.apache.org/security

Related Vulnerabilities

CVE-2021-41084 Vulnerability in maven package org.http4s:http4s-server_3

CVE-2017-1000242 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2022-40764 Vulnerability in npm package snyk

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-1003067 Vulnerability in maven package org.jenkins-ci.plugins:trac-publisher-plugin

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory