CNNVD-202602-397 Information

CNNVD ID

CNNVD-202602-397

Related CVE

CVE-2026-23795

• CNNVD Published: 2026-02-03

Description (Chinese)

Apache Syncope是美国阿帕奇（Apache）基金会的一套用于企业环境中的开源数字身份管理系统。该系统支持身份管理、角色配置等。 Apache Syncope 3.0版本至3.0.15版本和4.0版本至4.0.3版本存在代码问题漏洞，该漏洞源于Console存在XML外部实体引用限制不当，可能导致敏感数据泄露。

Description (English)

Apache Syncope is an open-source digital identity management system for the business environment of the Apache Foundation in the United States. The system supports identity management, role allocation, etc. There is a code gap between Appache Synscope 3.0 to 3.0.15 and 4.0 to 4.0.3, which stems from Console ’ s inappropriate reference restrictions for external XML entities, which may lead to the disclosure of sensitive data.

Hazard Level

High

Vulnerability Type

代码问题

Affected Vendor

阿帕奇

Published

2026-02-03

Last Modified

2026-02-24

References

https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos http://www.openwall.com/lists/oss-security/2026/02/02/2 https://access.redhat.com/security/cve/cve-2026-23795

Patch

https://syncope.apache.org/downloads