oss-sec mailing list archives
[CVE-2020-11977] Apache Syncope: Remote Code Execution via Flowable workflow definition
From: Francesco Chicchiriccò <ilgrosso () apache org>
Date: Mon, 14 Sep 2020 12:33:10 +0200
Description: When the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. Severity: Low Vendor: The Apache Software Foundation Affects: 2.1.X releases prior to 2.1.7 Solution: 2.1.X users: upgrade to 2.1.7 Credit: This issue was discovered by ch0wn of Orz Lab.
Current thread:
- [CVE-2020-11977] Apache Syncope: Remote Code Execution via Flowable workflow definition Francesco Chicchiriccò (Sep 14)