MEDIUM 4.9

GHSA-vr35-jm2f-8wg2

Apache Syncope Vulnerable to Exposure of Sensitive Information Through Data Queries

Details

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.

An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.apache.syncope.core:syncope-core-provisioning-api

Introduced in: 3.0.0-M0

No fixed version published yet for org.apache.syncope.core:syncope-core-provisioning-api (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.apache.syncope.core:syncope-core-provisioning-api

Introduced in: 4.0.0-M0 Fixed in: 4.0.6

Fix # pom.xml: bump <version>4.0.6</version> for org.apache.syncope.core:syncope-core-provisioning-api

Maven / org.apache.syncope.core:syncope-core-provisioning-api

Introduced in: 4.1.0-M0 Fixed in: 4.1.1

Fix # pom.xml: bump <version>4.1.1</version> for org.apache.syncope.core:syncope-core-provisioning-api

References

https://nvd.nist.gov/vuln/detail/CVE-2026-42797 [ADVISORY]
https://github.com/apache/syncope [PACKAGE]
https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/25/5 [WEB]