Apache Syncope Groovy Code Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability in Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely on a running Apache Syncope Core instance. This issue arises from the ability to provide custom implementations of Java interfaces, which can be delivered as Groovy classes. While this feature has been available for some time, it was recently discovered that the injected Groovy code could be executed without proper restrictions. Users are advised to upgrade to Apache Syncope versions 3.0.14 or 4.0.2, which address this vulnerability by enforcing a sandbox environment for Groovy code execution.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Apache Syncope Core is running.
Remediation
Users should upgrade to Apache Syncope version 4.0.2, which is available on the Apache Syncope downloads page. Instructions for upgrading from version 4.0.0 are also provided on the Apache Syncope website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.