org.apache.syncope.core:syncope-core-provisioning-java 2.1.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.syncope.core:syncope-core-provisioning-java package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Use of Hard-coded Cryptographic Key org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the password encryption process. An attacker can recover original cleartext password values by accessing the internal database content, as the encryption key is hard-coded and publicly known. Note: AES encryption is not the default option. How to fix Use of Hard-coded Cryptographic Key? Upgrade `org.apache.syncope.core:syncope-core-provisioning-java` to version 3.0.15, 4.0.3 or higher.	[,3.0.15)[4.0.0-M0,4.0.3)
H Improper Isolation or Compartmentalization org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization of Groovy code provided by delegated administrators. A privileged attacker can execute arbitrary code remotely by providing malicious Groovy implementations that are loaded and executed by the running instance. How to fix Improper Isolation or Compartmentalization? Upgrade `org.apache.syncope.core:syncope-core-provisioning-java` to version 3.0.14, 4.0.2 or higher.	[,3.0.14)[4.0.0,4.0.2)
H Remote Code Execution (RCE) org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary `JEXL` expressions, leading to Remote Code Execution. How to fix Remote Code Execution (RCE)? Upgrade `org.apache.syncope.core:syncope-core-provisioning-java` to version 2.0.15, 2.1.6 or higher.	[2.0.0,2.0.15)[2.1.0,2.1.6)

Vulnerability

Vulnerable Version

Use of Hard-coded Cryptographic Key

org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license.

Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the password encryption process. An attacker can recover original cleartext password values by accessing the internal database content, as the encryption key is hard-coded and publicly known.

Note: AES encryption is not the default option.

How to fix Use of Hard-coded Cryptographic Key?

Upgrade org.apache.syncope.core:syncope-core-provisioning-java to version 3.0.15, 4.0.3 or higher.

[,3.0.15)[4.0.0-M0,4.0.3)

Improper Isolation or Compartmentalization

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization of Groovy code provided by delegated administrators. A privileged attacker can execute arbitrary code remotely by providing malicious Groovy implementations that are loaded and executed by the running instance.

How to fix Improper Isolation or Compartmentalization?

Upgrade org.apache.syncope.core:syncope-core-provisioning-java to version 3.0.14, 4.0.2 or higher.

[,3.0.14)[4.0.0,4.0.2)

Remote Code Execution (RCE)

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary JEXL expressions, leading to Remote Code Execution.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.syncope.core:syncope-core-provisioning-java to version 2.0.15, 2.1.6 or higher.

[2.0.0,2.0.15)[2.1.0,2.1.6)

org.apache.syncope.core:syncope-core-provisioning-java@2.1.2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically