Vulnerability-Lookup

CNVD-2026-12896

Vulnerability from cnvd - Published: 2026-03-04

Title

Apache Syncope代码问题漏洞

Description

Apache Syncope是美国阿帕奇（Apache）基金会的一套用于企业环境中的开源数字身份管理系统。该系统支持身份管理、角色配置等。 Apache Syncope存在代码问题漏洞，该漏洞源于Console存在XML外部实体引用限制不当，攻击者可利用该漏洞导致敏感数据泄露。

Severity

中

Patch Name

Apache Syncope代码问题漏洞的补丁

Patch Description

Apache Syncope是美国阿帕奇（Apache）基金会的一套用于企业环境中的开源数字身份管理系统。该系统支持身份管理、角色配置等。 Apache Syncope存在代码问题漏洞，该漏洞源于Console存在XML外部实体引用限制不当，攻击者可利用该漏洞导致敏感数据泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://syncope.apache.org/downloads

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-23795

Impacted products

Name
['Apache Syncope >=3.0.0，<3.0.16', 'Apache Syncope >=4.0.0，<4.0.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-23795",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-23795"
    }
  },
  "description": "Apache Syncope\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u4f01\u4e1a\u73af\u5883\u4e2d\u7684\u5f00\u6e90\u6570\u5b57\u8eab\u4efd\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u8eab\u4efd\u7ba1\u7406\u3001\u89d2\u8272\u914d\u7f6e\u7b49\u3002\n\nApache Syncope\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eConsole\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u5f15\u7528\u9650\u5236\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u6570\u636e\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://syncope.apache.org/downloads",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-12896",
  "openTime": "2026-03-04",
  "patchDescription": "Apache Syncope\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u4f01\u4e1a\u73af\u5883\u4e2d\u7684\u5f00\u6e90\u6570\u5b57\u8eab\u4efd\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u8eab\u4efd\u7ba1\u7406\u3001\u89d2\u8272\u914d\u7f6e\u7b49\u3002\r\n\r\nApache Syncope\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eConsole\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u5f15\u7528\u9650\u5236\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u6570\u636e\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Syncope\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Syncope \u003e=3.0.0\uff0c\u003c3.0.16",
      "Apache Syncope \u003e=4.0.0\uff0c\u003c4.0.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-23795",
  "serverity": "\u4e2d",
  "submitTime": "2026-02-10",
  "title": "Apache Syncope\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2026-23795 (GCVE-0-2026-23795)

Vulnerability from cvelistv5 – Published: 2026-02-03 15:14 – Updated: 2026-02-03 16:00

Title

Apache Syncope: Console XXE on Keymaster parameters

Summary

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.

Severity ?

No CVSS data available.

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/mzgbdn8hzk8vr94o6…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Syncope	Affected: 3.0 , ≤ 3.0.15 (semver) Affected: 4.0 , ≤ 4.0.3 (semver)

Credits

follycat Y0n3er

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:19:11.713Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/02/02/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.9,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T16:00:29.202902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T16:00:32.112Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.syncope.client.idrepo:syncope-client-idrepo-console",
          "product": "Apache Syncope",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.0.15",
              "status": "affected",
              "version": "3.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.0.3",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "follycat"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Y0n3er"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.\u003cbr\u003eAn administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console.\nAn administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs.\n\nThis issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3.\n\nUsers are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T15:14:35.448Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Syncope: Console XXE on Keymaster parameters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-23795",
    "datePublished": "2026-02-03T15:14:35.448Z",
    "dateReserved": "2026-01-16T11:15:53.117Z",
    "dateUpdated": "2026-02-03T16:00:32.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-12896

CVE-2026-23795 (GCVE-0-2026-23795)

Tags

Sightings

Nomenclature