CVE-2020-1959 - OpenCVE

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Syncope

Configuration 1 [-]

cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*

References

Link	Resource
http://syncope.apache.org/security	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2020-05-04T12:25:18

Updated: 2020-05-04T12:25:18

Reserved: 2019-12-02T00:00:00

Link: CVE-2020-1959

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-05-04T13:15:13.533

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-1959

JSON object: View

Redhat Information

No data.

CWE

CWE-917

{"containers": {"cna": {"affected": [{"product": "Apache Syncope", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apache Syncope 2.1.X releases prior to 2.1.6"}]}], "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."}], "problemTypes": [{"descriptions": [{"description": "Multiple Remote Code Execution Vulnerabilities", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-04T12:25:18", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://syncope.apache.org/security"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-1959", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Syncope", "version": {"version_data": [{"version_value": "Apache Syncope 2.1.X releases prior to 2.1.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Multiple Remote Code Execution Vulnerabilities"}]}]}, "references": {"reference_data": [{"name": "http://syncope.apache.org/security", "refsource": "MISC", "url": "http://syncope.apache.org/security"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1959", "datePublished": "2020-05-04T12:25:18", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2020-05-04T12:25:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "31260109-834D-4DCF-AA29-754026EC13A2", "versionEndExcluding": "2.1.6", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code."}, {"lang": "es", "value": "Se identific\u00f3 una Inyecci\u00f3n de Plantillas del Lado del Servidor en Apache Syncope versiones anteriores a la versi\u00f3n 2.1.6, que permit\u00eda a atacantes inyectar expresiones JEXL arbitrarias, conllevando a una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota (RCE) no autenticada. Apache Syncope usa validadores de restricciones personalizadas Java Bean Validation (JSR 380). Cuando se construyen mensajes de error de violaci\u00f3n de restricciones personalizadas, ellos soportan diferentes tipos de interpolaci\u00f3n, incluyendo expresiones de Java EL. Por lo tanto, si un atacante puede inyectar datos arbitrarios en la plantilla de mensajes de error que es pasada, ellos ser\u00edan capaces de ejecutar c\u00f3digo Java arbitrario."}], "id": "CVE-2020-1959", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-04T13:15:13.533", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "http://syncope.apache.org/security"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}]}