RCE in Apache Syncope

CVE-2014-0111

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.014 (81.0th percentile) — read the EPSS interpretation.

Affected products

Apache Syncope
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

[www-announce] 20140415 [SECURITY] CVE-2014-0111 Apache Syncope (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
20140415 [SECURITY] CVE-2014-0111 Apache Syncope (mailing-list, x_refsource_BUGTRAQ, Third Party Advisory, VDB Entry)