9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1959

GHSA ID

GHSA-vjqw-r3ww-wj2w

EPSS Score

0.8119%

CWE

CWE-917

Published

6/16/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-1959

CVE-2020-1959:
Expression Language Injection in Apache Syncope

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1959

GHSA ID

GHSA-vjqw-r3ww-wj2w

EPSS Score

0.8119%

CWE

CWE-917

Published

6/16/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.syncope:syncope-core	maven	< 2.1.6	2.1.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in custom constraint validators' message interpolation logic. Runtime detection would show:

The application's custom validator isValid() method handling malicious input
The ConstraintValidatorContext message-building API processing EL payloads

Though no patch diffs are provided, the CVE description explicitly identifies the attack vector as custom constraint validators using EL interpolation in error messages. The primary vulnerable function would be the isValid() implementation in Syncope's constraint validators, with the JSR-380 message-building API appearing in stack traces during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S*rv*r-Si** T*mpl*t* Inj**tion w*s i**nti*i** in *p**** Syn*op* prior to *.*.* *n**lin* *tt**k*rs to inj**t *r*itr*ry J*v* *L *xpr*ssions, l***in* to *n un*ut**nti**t** R*mot* *o** *x**ution (R**) vuln*r**ility. *p**** Syn*op* us*s J*v* ***n V*li**

Reasoning

T** vuln*r**ility o**urs in *ustom *onstr*int v*li**tors' m*ss*** int*rpol*tion lo*i*. Runtim* **t**tion woul* s*ow: *. T** *ppli**tion's *ustom v*li**tor isV*li*() m*t*o* **n*lin* m*li*ious input *. T** *onstr*intV*li**tor*ont*xt m*ss***-*uil*in* *P

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-1959: Expression Language Injection in Apache Syncope

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-1959:
Expression Language Injection in Apache Syncope

Vulnerability Intelligence
Miggo AI