oss-sec mailing list archives

[CVE-2020-1961] Apache Syncope: Server-Side Template Injection on mail templates

From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Sat, 2 May 2020 14:32:34 +0200

Description:
Vulnerability to Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary JEXL 
expressions, leading to Remote
Code Execution (RCE) was discovered.

Severity: Important

Vendor: The Apache Software Foundation

Affects:
2.0.X releases prior to 2.0.15
2.1.X releases prior to 2.1.6

Solution:
2.0.X users: upgrade to 2.0.15
2.1.X users: upgrade to 2.1.6

Credit:
This issue was discovered by GitHub Security Labs team member Alvaro Muñoz - https://github.com/pwntester.

References:
https://syncope.apache.org/security

Current thread:

[CVE-2020-1961] Apache Syncope: Server-Side Template Injection on mail templates Francesco Chicchiriccò (May 02)