CVE-2025-57738: Apache Syncope allows malicious administrators to inject Groovy code

The vulnerability lies in the ability of a malicious administrator to inject and execute arbitrary Groovy code. The analysis of the provided patches reveals that the org.apache.syncope.core.spring.implementation.ImplementationManager class is responsible for loading and instantiating these Groovy scripts. The build methods within this class, and the methods that use them (buildReportJobDelegate, buildAccountRule, etc.), were creating instances of these scripts without any security restrictions. This allowed the Groovy code to run with the same permissions as the Apache Syncope application, leading to a remote code execution vulnerability.

The patch addresses this by introducing a sandboxing mechanism using groovy-security-sandbox. A new GroovySandbox aspect is created and applied to all Groovy implementations when they are built. This is done within the new createBean method in ImplementationManager, which is now called by all the build methods. The sandbox restricts the operations that the Groovy code can perform by enforcing a blacklist of dangerous methods and classes, effectively mitigating the remote code execution risk. The identified vulnerable functions are the build methods in ImplementationManager that were modified to incorporate this sandboxing, as they were the entry points for creating the unsandboxed, vulnerable objects.