CVE-2025-57738
published 2025-10-20CVE-2025-57738: Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java…
high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | syncope | >= 2.1.0 < 3.0.14 | 3.0.14 |
| apache | syncope | >= 4.0.0 < 4.0.2 | 4.0.2 |
| apache_software_foundation | apache_syncope | 2.1 – 2.1.14 | — |
| apache_software_foundation | apache_syncope | 3.0 – 3.0.13 | — |
| apache_software_foundation | apache_syncope | 4.0 – 4.0.1 | — |