Home

Description

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

PUBLISHED Reserved 2025-08-19 | Published 2025-10-20 | Updated 2025-10-20 | Assigner apache

Problem types

CWE-653 Improper Isolation or Compartmentalization

Product status

Default status
unaffected

2.1 (semver)
affected

3.0 (semver)
affected

4.0 (semver)
affected

Credits

Mike Cole (Mantel Group) finder

References

lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6 vendor-advisory

cve.org (CVE-2025-57738)

nvd.nist.gov (CVE-2025-57738)

Download JSON