{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65998", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-11-19T08:09:02.428Z", "datePublished": "2025-11-24T13:47:03.979Z", "dateUpdated": "2025-11-24T15:36:14.583Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.syncope.core:syncope-core-spring", "product": "Apache Syncope", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.1.14", "status": "affected", "version": "2.1", "versionType": "semver"}, {"lessThanOrEqual": "3.0.14", "status": "affected", "version": "3.0", "versionType": "semver"}, {"lessThanOrEqual": "4.0.2", "status": "affected", "version": "4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Clemens Bergmann (Technical University of Darmstadt)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.</p><p>When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.<br>This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.</p><p>Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.</p>"}], "value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-11-24T13:47:03.979Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Syncope: Default AES key used for internal password encryption", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-24T15:04:26.790Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T15:35:31.369551Z", "id": "CVE-2025-65998", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T15:36:14.583Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-24T15:04:26.790Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-65998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-24T15:35:31.369551Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T15:35:48.467Z"}}], "cna": {"title": "Apache Syncope: Default AES key used for internal password encryption", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Clemens Bergmann (Technical University of Darmstadt)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Syncope", "versions": [{"status": "affected", "version": "2.1", "versionType": "semver", "lessThanOrEqual": "2.1.14"}, {"status": "affected", "version": "3.0", "versionType": "semver", "lessThanOrEqual": "3.0.14"}, {"status": "affected", "version": "4.0", "versionType": "semver", "lessThanOrEqual": "4.0.2"}], "packageName": "org.apache.syncope.core:syncope-core-spring", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.</p><p>When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.<br>This is not affecting encrypted plain attributes, whose values are also stored using AES encryption.</p><p>Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-11-24T13:47:03.979Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65998", "state": "PUBLISHED", "dateUpdated": "2025-11-24T15:36:14.583Z", "dateReserved": "2025-11-19T08:09:02.428Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-11-24T13:47:03.979Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "D773E581-822F-4431-BEFB-48BE61A743EC", "versionEndIncluding": "2.1.14", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE40E959-C93C-43E0-80AE-4FAB31C47165", "versionEndExcluding": "3.0.15", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFD9390D-0F3F-453D-ACCC-BFF74C6D9623", "versionEndExcluding": "4.0.3", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option.\n\nWhen AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values.\nThis is not affecting encrypted plain attributes, whose values are also stored using AES encryption.\n\nUsers are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue."}], "id": "CVE-2025-65998", "lastModified": "2025-11-26T14:30:26.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-24T14:15:48.417", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/11/24/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{}