Main Vulnerability Database SB2014041711

SB2014041711 - Code Injection in Apache Syncope

Published: April 17, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014041711

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2014-0111)

The vulnerability allows a remote #AU# to read and manipulate data.

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

Remediation

Install update from vendor's website.

References

http://mail-archives.us.apache.org/mod_mbox/www-announce/201404.mbox/%3C534CE273.9020601@apache.org%3E
http://syncope.apache.org/security.html
http://www.securityfocus.com/archive/1/531841/100/0/threaded