CVE-2020-1959

Name of the Vulnerable Software and Affected Versions Apache Syncope versions prior to 2.1.6

Description A Server-Side Template Injection issue allows attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation custom constraint validators that support interpolation, including Java EL expressions. If an attacker can inject arbitrary data in the error message template, they will be able to run arbitrary Java code.

Recommendations For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to custom constraint violation error messages to minimize the risk of exploitation. Avoid using Java EL expressions in error message templates until the issue is resolved.