SCA: security update for org.apache.syncope.core:syncope-core-spring (GHSA-825g-mm5v-ggq4)

high Tenable Self-Hosted Container Security Plugin ID 435679

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing
to provide custom implementations of a few Java interfaces; such implementations can be provided either as
Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime
reload. Such a feature has been available for a while, but recently it was discovered that a malicious
administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core
instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the
Groovy code to run in a sandbox. (CVE-2025-57738)

See Also

https://github.com/advisories/GHSA-825g-mm5v-ggq4

Plugin Details

Severity: High

ID: 435679

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 10/21/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-57738

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/20/2025

Vulnerability Publication Date: 10/20/2025

Reference Information

CVE: CVE-2025-57738

cwe: CWE-653