Author: ilgrosso
Date: Mon Oct 20 13:28:24 2025
New Revision: 1929237
Log:
Updating security page
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
==============================================================================
--- syncope/site/security.html Mon Oct 20 13:02:21 2025 (r1929236)
+++ syncope/site/security.html Mon Oct 20 13:28:24 2025 (r1929237)
@@ -97,7 +97,69 @@
<p>If you want to report a vulnerability, please follow <a
href="https://www.apache.org/security/"; class="externalLink">the
procedure</a>.</p>
- <section><a
id="CVE-2024-45031.3A_Apache_Syncope.3A_Stored_XSS_in_Console_and_Enduser"></a>
+ <section><a id="CVE-2025-57738"></a>
+<h2>CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated
administrators</h2>
+
+<p>Apache Syncope offers the ability to extend / customize the base behavior
on every deployment by allowing to provide custom implementations of a few Java
interfaces; such implementations can be provided either as Java or Groovy
classes, with the latter being particularly attractive as the machinery is set
for runtime reload.
+Such a feature has been available for a while, but recently it was discovered
that a malicious administrator can inject Groovy code that can be executed
remotely by a running Apache Syncope Core instance.
+Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this
issue by forcing the Groovy code to run in a sandbox.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Moderate</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>4.0 through 4.0.1</li>
+
+<li>3.0 through 3.0.13</li>
+
+<li>2.1 through 2.1.14</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.0.2 / 3.0.14 which fix this
issue.</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 4.0.2</li>
+<li>Release 3.0.14</li>
+ </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2025-57738";
class="externalLink">full CVE advisory</a>.</p>
+ </section>
+
+<section><a
id="CVE-2024-45031.3A_Apache_Syncope.3A_Stored_XSS_in_Console_and_Enduser"></a>
<h2>CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser</h2>
<p>When editing objects in the Syncope Console, incomplete HTML tags could be
used to bypass HTML sanitization. This made it possible to inject stored XSS
payloads which would trigger for other users during ordinary usage of the
application.<br />
