CVE-2020-11977
First published: Tue Sep 15 2020(Updated: )
In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Syncope | >=2.1.0<2.1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-11977?
CVE-2020-11977 is a vulnerability in Apache Syncope 2.1.X releases prior to 2.1.7.
What is the severity of CVE-2020-11977?
The severity of CVE-2020-11977 is high with a score of 7.2.
How does CVE-2020-11977 affect Apache Syncope?
CVE-2020-11977 affects Apache Syncope 2.1.X releases prior to 2.1.7 when the Flowable extension is enabled.
What can an attacker do with CVE-2020-11977?
An attacker with workflow entitlements can use Shell Service Tasks to perform malicious operations, including file read, file write, and code execution.
How can I fix CVE-2020-11977?
To fix CVE-2020-11977, upgrade Apache Syncope to version 2.1.7 or higher.
- collector/nvd-index
- agent/description
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache syncope
- version/apache syncope/2.1.0