CVE-2025-65998
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-26
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | syncope | From 2.1.0 (inc) to 2.1.14 (inc) |
| apache | syncope | From 3.0.0 (inc) to 3.0.15 (exc) |
| apache | syncope | From 4.0.0 (inc) to 4.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Apache Syncope when it is configured to store user passwords in the internal database using AES encryption. However, the AES encryption uses a default key that is hard-coded in the source code. Because of this, if an attacker gains access to the internal database, they can use the known default key to decrypt and recover the original cleartext passwords.
How can this vulnerability impact me? :
If an attacker obtains access to the internal database, they can decrypt user passwords due to the use of a hard-coded default AES key. This compromises user credentials, potentially leading to unauthorized access to user accounts and further exploitation of the system or connected services.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Syncope to version 3.0.15 or 4.0.3, which fix this issue related to the use of a hard-coded AES encryption key for stored passwords.