CVE-2020-1961

Vulnerability

Overview

Apache Syncope versions 2.0.x prior to 2.0.15 and 2.1.x prior to 2.1.6 contain a Server-Side Template Injection (SSTI) vulnerability in their mail templates. The root cause is that user-provided input is not sanitized before being used within JEXL expressions in email templates, allowing an attacker to inject malicious expressions that are evaluated server-side [1][2].

Exploitation

An attacker with the ability to modify mail templates—typically an authenticated user with adequate privileges—can inject arbitrary JEXL expressions. These expressions are then rendered during email generation, leading to server-side execution of the injected code. No special network access is required beyond the ability to reach the Syncope application and modify template content [1][2].

Impact

Successful exploitation results in Remote Code Execution (RCE) on the Syncope server. An attacker can achieve full compromise of the affected system, including data theft, service disruption, and potential lateral movement within the network [1][2].

Mitigation

The vulnerability is fixed in Apache Syncope 2.0.15 and 2.1.6. Users are strongly advised to upgrade to these or later versions. No workarounds are provided; full remediation requires upgrading the software [1][2].