Author: ilgrosso
Date: Mon May 25 12:47:20 2026
New Revision: 1934591
Log:
Updating security reports
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
==============================================================================
--- syncope/site/security.html Mon May 25 12:24:26 2026 (r1934590)
+++ syncope/site/security.html Mon May 25 12:47:20 2026 (r1934591)
@@ -89,6 +89,132 @@
<p>If you want to report a vulnerability, please follow <a
href="https://www.apache.org/security/"; class="externalLink">the
procedure</a>.</p>
+ <section><a
id="CVE-2026-42797.3A_Apache_Syncope.3A_JexlContextBuilder_Information_Disclosure"></a>
+<h2>CVE-2026-42797: Apache Syncope: JexlContextBuilder Information
Disclosure</h2>
+
+<p>Exposure of Sensitive Information Through Data Queries vulnerability in
Apache Syncope.</p>
+
+<p>An administrator with adequate entitlements for Derived Schemas can create
a malicious JEXL expression which allows any administrator with sufficient
entitlements for User read to access User-related security-sensitive
information.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Moderate</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>4.1 through 4.1.0</li>
+
+<li>4.0 through 4.0.5</li>
+
+<li>3.0 through 3.0.16</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.1.1 / 4.0.6 which fix this
issue.</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 4.1.1</li>
+
+<li>Release 4.0.6</li>
+ </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2026-42797";
class="externalLink">full CVE advisory</a>.</p>
+ </section>
+
+ <section><a
id="CVE-2026-42782.3A_Apache_Syncope.3A_Post-auth_RCE_via_Groovy_static"></a>
+<h2>CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static</h2>
+
+<p>Improper Isolation or Compartmentalization vulnerability in Apache
Syncope.</p>
+
+<p>An administrator with adequate entitlements for Implementations can create
a malicious Groovy class containing untrusted code reaching a non-sandboxed
execution path via the class static initializer.</p>
+
+
+<p>
+ <b>Severity</b>
+ </p>
+
+<p>Moderate</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>4.1 through 4.1.0</li>
+
+<li>4.0 through 4.0.5</li>
+
+<li>3.0 through 3.0.16</li>
+ </ul>
+
+
+
+<p>
+ <b>Solution</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Users are recommended to upgrade to version 4.1.1 / 4.0.6 which fix this
issue.</li>
+ </ul>
+
+
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Release 4.1.1</li>
+
+<li>Release 4.0.6</li>
+ </ul>
+
+
+
+<p>Read the <a href="https://www.cve.org/CVERecord?id=CVE-2026-42782";
class="externalLink">full CVE advisory</a>.</p>
+ </section>
+
<section><a
id="CVE-2026-23795.3A_Apache_Syncope.3A_Console_XXE_on_Keymaster_parameters"></a>
<h2>CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters</h2>
