GitHub Advisory DatabaseGHSA-XGC9-9W4V-H33HHigh severity vulnerability that affects org.apache.syncope:syncope-core
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.5%
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11 and 2.0.x before 2.0.8 can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.syncope:syncope-core | lt | 2.0.8 | |
| org.apache.syncope:syncope-core | lt | 1.2.11 |
References
syncope.apache.org/security.html#CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements
www.securityfocus.com/bid/103508
github.com/advisories/GHSA-xgc9-9w4v-h33h
github.com/apache/syncope/commit/726231fbf7b817bd2a9467171dcb1c0087c75bc
github.com/apache/syncope/commit/ad31479c1c543ac7d26b8c882aa14f6c00c1fd0
nvd.nist.gov/vuln/detail/CVE-2018-1321
www.exploit-db.com/exploits/45400
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.5%