A Server-Side Template Injection in the Mail templates was identified in Apache Syncope enabling attackers to inject arbitrary JEXL expressions, leading to a Remote Code Execution (RCE) vulnerability.
Server-Side Template Injection on Mail templates (GHSL-2020-055, CVE-2019-1961)
Mail templates use JEXL expressions. Even though Syncope applies a Uberspector (
org.apache.syncope.core.provisioning.api.jexl.ClassFreeUberspect) to prevent access to
java.lang.Object.class, it is still possible to get a
Class instance via other means. For example, an attacker could get a
Class instance by accessing the
TYPE field of boxed classes such as
From there, an attacker could use Java reflection to instantiate arbitrary objects.
Note that since Core and EndUser are normally deployed with the same origin, a XSS issue allows an attacker to send such malicious requests by fooling the administrator into clicking a malicious link.
This issue may lead to
Remote Code Execution
Use the Sandboxed Uberspector or customize a whitelist-based one.
This issue was addressed in the following commit
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 04/01/2020: Report send to Apache
- 04/02/2020: Issue acknowledged
- 04/02/2020: Apache sends draft advisory
- 05/11/2020: Public Advisory
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-055 in any communication regarding this issue.