GHSA-gq7g-vg2q-jvq3
Apache Syncope has an Improper Isolation or Compartmentalization vulnerability
상세
Improper Isolation or Compartmentalization vulnerability in Apache Syncope.
An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
3.0.0-M0 No fixed version published yet for org.apache.syncope.core:syncope-core-spring (maven). Pin to a known-safe version or switch to an alternative.
4.0.0-M0 수정 버전: 4.0.6 # pom.xml: bump <version>4.0.6</version> for org.apache.syncope.core:syncope-core-spring 4.1.0-M0 수정 버전: 4.1.1 # pom.xml: bump <version>4.1.1</version> for org.apache.syncope.core:syncope-core-spring