CVE-2020-11977 – org.apache.syncope:syncope

Package

Manager: maven
Name: org.apache.syncope:syncope
Vulnerable Version: >=2.1.0 <2.1.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00589 pctl0.68211

Details

Shell command injection in Apache Syncope In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

Metadata

Created: 2021-06-16T17:19:12Z
Modified: 2021-05-04T20:57:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-p2rp-cmjq-r7wm/GHSA-p2rp-cmjq-r7wm.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-p2rp-cmjq-r7wm
Finding: F404
Auto approve: 1