Primary

Context

Apache Syncope Password Encryption Vulnerability Using Default AES Key

Vulnerability

A vulnerability exists in Apache Syncope versions 2.1.0 through 2.1.14, 3.0.0 through 3.0.14, and 4.0.0 through 4.0.2, allowing user passwords to be stored in the internal database with AES encryption. However, this is not the default configuration. When AES encryption is enabled, the encryption key is set to a default value that is hard-coded in the source code. This flaw enables attackers with access to the internal database to decrypt and retrieve the original plaintext passwords. It's important to note that this issue does not affect encrypted plain attributes, which are also stored using AES encryption.

Impact

Exploitation of this vulnerability allows for the decryption of AES-encrypted passwords, enabling unauthorized access to user accounts.

Remediation

Users are advised to upgrade to Apache Syncope versions 3.0.15 or 4.0.3, which address this vulnerability.

Added: Nov 24, 2025, 2:17 PM

Updated: Nov 24, 2025, 4:27 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

7.7

relevance

1.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Syncope Password Encryption Vulnerability Using Default AES Key

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating