CVE-2020-1959

Apache Syncope prior to version 2.1.6 is vulnerable to a Server-Side Template Injection (SSTI) flaw. The application uses Java Bean Validation (JSR 380) custom constraint validators, and when building constraint violation error messages, it supports interpolation including Java EL expressions. An attacker can inject arbitrary data into the error message template, allowing them to execute arbitrary Java code [1][2].

Exploitation does not require authentication; an attacker simply needs to send crafted input that triggers a validation error. By injecting a malicious Java EL expression in the input, the expression is evaluated when the error message is constructed, leading to code execution on the server [2].

Successful exploitation results in unauthenticated Remote Code Execution (RCE) with the privileges of the Syncope application. This can lead to full compromise of the Syncope service, including access to sensitive data and potential pivot to internal systems [1][2].

The vulnerability is fixed in Apache Syncope 2.1.6. Upgrading to this version or later is the recommended mitigation. No workarounds are available [1].