Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2020-11977 Vulnerability in maven package org.apache.syncope.ext.flowable:syncope-ext-flowable-bpmn

Description

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

Remediation

References

https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition

Related Vulnerabilities

CVE-2022-29258 Vulnerability in maven package org.xwiki.platform:xwiki-platform-filter-ui

CVE-2015-8856 Vulnerability in npm package serve-index

CVE-2023-29203 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2019-20343 Vulnerability in maven package org.codehaus.mojo:exec-maven-plugin

CVE-2018-1000068 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-noinfo