CVE-2020-11977

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-11977

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11977.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-11977

Aliases

GHSA-p2rp-cmjq-r7wm

Published

2020-09-15T20:15:13.040Z

Modified

2026-03-14T09:51:54.757788Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

References

https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition

Affected packages

Git / github.com/apache/syncope

Affected ranges

Type

GIT

Repo

https://github.com/apache/syncope

Events

Introduced

49c2e53ba6baf1423a89b5ab9a24aa665a5780ad

Fixed

c50355d8a83ab96fb49943c0d8d005d7d4c144ce

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.7"
        }
    ]
}

Affected versions

syncope-2.*

syncope-2.1.0

syncope-2.1.1

syncope-2.1.2

syncope-2.1.3

syncope-2.1.4

syncope-2.1.5

syncope-2.1.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11977.json"