In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
References
Link | Resource |
---|---|
https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2020-09-15T19:02:51
Updated: 2020-09-15T19:02:51
Reserved: 2020-04-21T00:00:00
Link: CVE-2020-11977
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-09-15T20:15:13.040
Modified: 2020-09-24T13:42:34.213
Link: CVE-2020-11977
JSON object: View
Redhat Information
No data.
CWE