Main Vulnerability Database Vulnerabilities #VU41792

Code Injection in Apache Syncope - CVE-2014-0111

Published: April 17, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41792

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-0111

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Syncope

Detailed vulnerability description

The vulnerability allows a remote #AU# to read and manipulate data.

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."

How to mitigate CVE-2014-0111

Install update from vendor's website.

Sources

http://mail-archives.us.apache.org/mod_mbox/www-announce/201404.mbox/%3C534CE273.9020601@apache.org%3E
http://syncope.apache.org/security.html
http://www.securityfocus.com/archive/1/531841/100/0/threaded

Code Injection in Apache Syncope - CVE-2014-0111

Detailed vulnerability description

How to mitigate CVE-2014-0111

Sources

Please verify you're human