CVE-2020-11977

CWE-78OS Command Injection4 documents4 sources
Severity
7.2HIGH
EPSS
0.6%
top 30.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Syncope
Timeline
PublishedSep 15
Latest updateJun 16

Description

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

NVDapache/syncope2.1.02.1.7
Mavenorg.apache.syncope:syncope2.1.02.1.7
CVEListV5apache_syncopeApache Syncope 2.1.X releases prior to 2.1.7

🔴Vulnerability Details

3
OSV
Shell command injection in Apache Syncope2021-06-16
GHSA
Shell command injection in Apache Syncope2021-06-16
CVEList
CVE-2020-11977: In Apache Syncope 22020-09-15
CVE-2020-11977 (HIGH CVSS 7.2) | In Apache Syncope 2.1.X releases pr | cvebase.io