org.apache.syncope.core:syncope-core-provisioning-java 2.0.0-M1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.syncope.core:syncope-core-provisioning-java package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Use of Hard-coded Cryptographic Key org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the password encryption process. An attacker can recover original cleartext password values by accessing the internal database content, as the encryption key is hard-coded and publicly known. Note: AES encryption is not the default option. How to fix Use of Hard-coded Cryptographic Key? Upgrade `org.apache.syncope.core:syncope-core-provisioning-java` to version 3.0.15, 4.0.3 or higher.	[,3.0.15)[4.0.0-M0,4.0.3)
H Improper Isolation or Compartmentalization org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization of Groovy code provided by delegated administrators. A privileged attacker can execute arbitrary code remotely by providing malicious Groovy implementations that are loaded and executed by the running instance. How to fix Improper Isolation or Compartmentalization? Upgrade `org.apache.syncope.core:syncope-core-provisioning-java` to version 3.0.14, 4.0.2 or higher.	[,3.0.14)[4.0.0,4.0.2)

Vulnerability

Vulnerable Version

Use of Hard-coded Cryptographic Key

org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license.

Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the password encryption process. An attacker can recover original cleartext password values by accessing the internal database content, as the encryption key is hard-coded and publicly known.

Note: AES encryption is not the default option.

How to fix Use of Hard-coded Cryptographic Key?

Upgrade org.apache.syncope.core:syncope-core-provisioning-java to version 3.0.15, 4.0.3 or higher.

[,3.0.15)[4.0.0-M0,4.0.3)

Improper Isolation or Compartmentalization

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization of Groovy code provided by delegated administrators. A privileged attacker can execute arbitrary code remotely by providing malicious Groovy implementations that are loaded and executed by the running instance.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.apache.syncope.core:syncope-core-provisioning-java to version 3.0.14, 4.0.2 or higher.

[,3.0.14)[4.0.0,4.0.2)

org.apache.syncope.core:syncope-core-provisioning-java@2.0.0-M1 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically