GHSA-p2rp-cmjq-r7wm

Source

https://github.com/advisories/GHSA-p2rp-cmjq-r7wm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-p2rp-cmjq-r7wm/GHSA-p2rp-cmjq-r7wm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p2rp-cmjq-r7wm

Aliases

CVE-2020-11977

Published

2021-06-16T17:19:12Z

Modified

2023-11-08T04:02:08.242687Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Shell command injection in Apache Syncope

Details

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

Database specific

{
    "nvd_published_at": "2020-09-15T20:15:00Z",
    "github_reviewed_at": "2021-05-04T20:57:28Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Maven / org.apache.syncope:syncope

Package

Name: org.apache.syncope:syncope; View open source insights on deps.dev
Purl: pkg:maven/org.apache.syncope/syncope

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.7

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6