ID CVE-2020-11977
Summary In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:syncope:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:syncope:2.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:syncope:2.1.6:*:*:*:*:*:*:*
CVSS
Base: 8.5 (as of 24-09-2020 - 13:42)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:S/C:C/I:C/A:C
refmap via4
misc https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition
Last major update 24-09-2020 - 13:42
Published 15-09-2020 - 20:15
Last modified 24-09-2020 - 13:42
Back to Top