skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
May 11, 2020

GHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557

Alvaro Munoz

Summary

A Server-Side Template Injection in the Mail templates was identified in Apache Syncope enabling attackers to inject arbitrary JEXL expressions, leading to a Remote Code Execution (RCE) vulnerability.

Product

Apache Syncope

Tested Version

syncope-2.1.5

Details

Server-Side Template Injection on Mail templates (GHSL-2020-055, CVE-2019-1961)

Mail templates use JEXL expressions. Even though Syncope applies a Uberspector (org.apache.syncope.core.provisioning.api.jexl.ClassFreeUberspect) to prevent access to java.lang.Object.getClass and java.lang.Object.class, it is still possible to get a Class instance via other means. For example, an attacker could get a Class instance by accessing the TYPE field of boxed classes such as Integer, Long, Boolean, etc.

e.g.:

(1).TYPE

From there, an attacker could use Java reflection to instantiate arbitrary objects.

Note that since Core and EndUser are normally deployed with the same origin, a XSS issue allows an attacker to send such malicious requests by fooling the administrator into clicking a malicious link.

Impact

This issue may lead to Remote Code Execution

Remediation

Use the Sandboxed Uberspector or customize a whitelist-based one.

This issue was addressed in the following commit

CVE

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-055 in any communication regarding this issue.