CVE-2017-15708 – org.apache.synapse:synapse-core

Package

Manager: maven
Name: org.apache.synapse:synapse-core
Vulnerable Version: >=0 <3.0.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.23677 pctl0.95781

Details

Remote Code Execution in Apache Synapse In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Metadata

Created: 2020-11-04T18:23:25Z
Modified: 2022-03-18T20:16:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-p694-23q3-rvrc/GHSA-p694-23q3-rvrc.json
CWE IDs: ["CWE-502", "CWE-74"]
Alternative ID: GHSA-p694-23q3-rvrc
Finding: F096
Auto approve: 1