MEDIUM 4.9

GHSA-vr35-jm2f-8wg2

Apache Syncope Vulnerable to Exposure of Sensitive Information Through Data Queries

상세

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.

An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.

This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.

Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / org.apache.syncope.core:syncope-core-provisioning-api

최초 영향 버전: 3.0.0-M0

No fixed version published yet for org.apache.syncope.core:syncope-core-provisioning-api (maven). Pin to a known-safe version or switch to an alternative.

Maven / org.apache.syncope.core:syncope-core-provisioning-api

최초 영향 버전: 4.0.0-M0 수정 버전: 4.0.6

수정 # pom.xml: bump <version>4.0.6</version> for org.apache.syncope.core:syncope-core-provisioning-api

Maven / org.apache.syncope.core:syncope-core-provisioning-api

최초 영향 버전: 4.1.0-M0 수정 버전: 4.1.1

수정 # pom.xml: bump <version>4.1.1</version> for org.apache.syncope.core:syncope-core-provisioning-api

참고

https://nvd.nist.gov/vuln/detail/CVE-2026-42797 [ADVISORY]
https://github.com/apache/syncope [PACKAGE]
https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 [WEB]
http://www.openwall.com/lists/oss-security/2026/05/25/5 [WEB]