svn commit: r1929943 - syncope/site

Mon, 24 Nov 2025 04:40:26 -0800 

Author: ilgrosso
Date: Mon Nov 24 12:40:20 2025
New Revision: 1929943

Log:
Updating security

Modified:
   syncope/site/security.html

Modified: syncope/site/security.html
==============================================================================
--- syncope/site/security.html  Mon Nov 24 12:10:45 2025        (r1929942)
+++ syncope/site/security.html  Mon Nov 24 12:40:20 2025        (r1929943)
@@ -97,6 +97,72 @@
       
 <p>If you want to report a vulnerability, please follow <a 
href="https://www.apache.org/security/"; class="externalLink">the 
procedure</a>.</p>
 
+      <section><a id="CVE-2025-65998"></a>
+<h2>CVE-2025-65998: Apache Syncope: Default AES key used for internal password 
encryption</h2>
+
+<p>Apache Syncope can be configured to store the user password values in the 
internal database with AES encryption, though this is not the default 
option.</p>
+
+<p>When AES is configured, the default key value, hard-coded in the source 
code, is always used. This allows a malicious attacker, once obtained access to 
the internal database content, to reconstruct the original cleartext password 
values.<br/>
+This is not affecting encrypted plain attributes, whose values are also stored 
using AES encryption.</p>
+
+<p>Users are recommended to upgrade to version 4.0.3 / 3.0.15, which fix this 
issue.</p>
+
+
+<p>
+          <b>Severity</b>
+        </p>
+
+<p>important</p>
+
+
+<p>
+          <b>Affects</b>
+        </p>
+
+<p>
+          </p>
+<ul>
+
+<li>4.0 through 4.0.2</li>
+
+<li>3.0 through 3.0.14</li>
+
+<li>2.1 through 2.1.14</li>
+          </ul>
+
+
+
+<p>
+          <b>Solution</b>
+        </p>
+
+<p>
+          </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.0.3 / 3.0.15 which fix this 
issue.</li>
+          </ul>
+
+
+
+<p>
+          <b>Fixed in</b>
+        </p>
+
+<p>
+          </p>
+<ul>
+
+<li>Release 4.0.3</li>
+
+<li>Release 3.0.15</li>
+          </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2025-65998"; 
class="externalLink">full CVE advisory</a>.</p>
+      </section>
+
       <section><a 
id="CVE-2025-57738.3A_Apache_Syncope.3A_Remote_Code_Execution_by_delegated_administrators"></a>
 <h2>CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated 
administrators</h2>

Reply via email to