CVE-2025-57738
BaseFortify
Publication date: 2025-10-20
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | syncope | From 2.1.0 (inc) to 3.0.14 (exc) |
| apache | syncope | From 4.0.0 (inc) to 4.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-653 | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely by the running Apache Syncope Core instance. The issue arises because the system permits custom implementations of Java interfaces using Groovy classes, which can be reloaded at runtime. Without proper sandboxing, this enables remote code execution through injected Groovy scripts.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution by a malicious administrator, potentially allowing unauthorized control over the Apache Syncope Core instance. This could result in unauthorized access, data manipulation, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Syncope to version 3.0.14 or 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.