CVE-2014-0111

CWE-94 — Code Injection4 documents4 sources

Severity

6.5MEDIUM

EPSS

1.4%

top 19.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Syncope

Timeline

PublishedApr 17

Latest updateMay 14

Description

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDapache/syncope1.0.0 — 1.0.9+1

▶Mavenorg.apache.syncope:syncope1.0.0 — 1.0.9+1

🔴Vulnerability Details

GHSA

Apache Syncope JEXL Code Injection↗2022-05-14

▶

OSV

Apache Syncope JEXL Code Injection↗2022-05-14

▶

CVEList

CVE-2014-0111: Apache Syncope 1↗2014-04-17

▶