ghsa-jqg8-m35q-jh7j
Vulnerability from github
Published
2025-11-24 15:30
Modified
2025-11-25 14:14
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Apache Syncope's AES encryption stores hard-coded passwords in internal database
Details

Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.

When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.

Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope:syncope-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope:syncope-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T14:14:13Z",
    "nvd_published_at": "2025-11-24T14:15:48Z",
    "severity": "HIGH"
  },
  "details": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.",
  "id": "GHSA-jqg8-m35q-jh7j",
  "modified": "2025-11-25T14:14:13Z",
  "published": "2025-11-24T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/syncope/commit/297498ebfc86e4996f5e3e4ef7b7f8b1cd82004b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/syncope/commit/9d706af25d2e60327b8b5b63186f9da51ed79a1d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/syncope"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Syncope\u0027s AES encryption stores hard-coded passwords in internal database"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.