Maven package
org.apache.syncope/syncope
pkg:maven/org.apache.syncope/syncope
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11977 | — | >= 2.1.0, < 2.1.7 | 2.1.7 | Sep 15, 2020 | In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. | ||
| CVE-2014-3503 | — | >= 1.1.0, < 1.1.8 | 1.1.8 | Jul 11, 2014 | Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack. | ||
| CVE-2014-0111 | — | >= 1.0.0, < 1.0.9 | 1.0.9 | Apr 17, 2014 | Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings." |
- CVE-2020-11977Sep 15, 2020affected >= 2.1.0, < 2.1.7fixed 2.1.7
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
- CVE-2014-3503Jul 11, 2014affected >= 1.1.0, < 1.1.8fixed 1.1.8
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.
- CVE-2014-0111Apr 17, 2014affected >= 1.0.0, < 1.0.9fixed 1.0.9
Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."