Refine your search
4 vulnerabilities found for Apache Syncope by Apache Software Foundation
CVE-2025-65998 (GCVE-0-2025-65998)
Vulnerability from nvd
Published
2025-11-24 13:47
Modified
2025-11-24 15:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.
This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.
Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Version: 2.1 ≤ 2.1.14 Version: 3.0 ≤ 3.0.14 Version: 4.0 ≤ 4.0.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-24T15:04:26.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T15:35:31.369551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T15:36:14.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.syncope.core:syncope-core-spring",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.14",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Bergmann (Technical University of Darmstadt)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\u003c/p\u003e\u003cp\u003eWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\u003cbr\u003eThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.\u003c/p\u003e"
}
],
"value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:03.979Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Syncope: Default AES key used for internal password encryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-65998",
"datePublished": "2025-11-24T13:47:03.979Z",
"dateReserved": "2025-11-19T08:09:02.428Z",
"dateUpdated": "2025-11-24T15:36:14.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57738 (GCVE-0-2025-57738)
Vulnerability from nvd
Published
2025-10-20 14:43
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Summary
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Version: 2.1 ≤ 2.1.14 Version: 3.0 ≤ 3.0.13 Version: 4.0 ≤ 4.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:13:38.012543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:15:48.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:18.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mike Cole (Mantel Group)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\u003cbr\u003eSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\u003cbr\u003eUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T14:43:39.985Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Remote Code Execution by delegated administrators",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-57738",
"datePublished": "2025-10-20T14:43:39.985Z",
"dateReserved": "2025-08-19T06:32:04.510Z",
"dateUpdated": "2025-11-04T21:13:18.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65998 (GCVE-0-2025-65998)
Vulnerability from cvelistv5
Published
2025-11-24 13:47
Modified
2025-11-24 15:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.
When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.
This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.
Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Version: 2.1 ≤ 2.1.14 Version: 3.0 ≤ 3.0.14 Version: 4.0 ≤ 4.0.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-24T15:04:26.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T15:35:31.369551Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T15:36:14.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.syncope.core:syncope-core-spring",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.14",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Bergmann (Technical University of Darmstadt)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\u003c/p\u003e\u003cp\u003eWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\u003cbr\u003eThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.\u003c/p\u003e"
}
],
"value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:03.979Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Syncope: Default AES key used for internal password encryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-65998",
"datePublished": "2025-11-24T13:47:03.979Z",
"dateReserved": "2025-11-19T08:09:02.428Z",
"dateUpdated": "2025-11-24T15:36:14.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57738 (GCVE-0-2025-57738)
Vulnerability from cvelistv5
Published
2025-10-20 14:43
Modified
2025-11-04 21:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Summary
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.
Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.
Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Syncope |
Version: 2.1 ≤ 2.1.14 Version: 3.0 ≤ 3.0.13 Version: 4.0 ≤ 4.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-57738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T15:13:38.012543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:15:48.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:18.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Syncope",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.14",
"status": "affected",
"version": "2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mike Cole (Mantel Group)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\u003cbr\u003eSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\u003cbr\u003eUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"value": "Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload.\nSuch a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance.\nUsers are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653 Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T14:43:39.985Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/x7cv6xv7z76y49grdr1hgj1pzw5zbby6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Syncope: Remote Code Execution by delegated administrators",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-57738",
"datePublished": "2025-10-20T14:43:39.985Z",
"dateReserved": "2025-08-19T06:32:04.510Z",
"dateUpdated": "2025-11-04T21:13:18.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}