GHSA-p694-23q3-rvrc

Source

https://github.com/advisories/GHSA-p694-23q3-rvrc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-p694-23q3-rvrc/GHSA-p694-23q3-rvrc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p694-23q3-rvrc

Aliases

CVE-2017-15708

Published

2020-11-04T18:23:25Z

Modified

2023-11-08T03:58:58.363047Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote Code Execution in Apache Synapse

Details

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Database specific

{
    "nvd_published_at": "2017-12-11T15:29:00Z",
    "github_reviewed_at": "2020-11-04T18:21:43Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502",
        "CWE-74"
    ]
}

References

Affected packages

Maven / org.apache.synapse:synapse-core

Package

Name: org.apache.synapse:synapse-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.synapse/synapse-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.1

Affected versions

1.*

1.0

1.1

1.1.1

1.1.2

1.2

2.*

2.0.0

2.1.0

3.*

3.0.0