You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Francesco Chicchiriccò <il...@apache.org> on 2020/09/14 10:32:40 UTC
[CVE-2020-11977] Apache Syncope: Remote Code Execution via Flowable
workflow definition
Description:
When the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.
Severity: Low
Vendor: The Apache Software Foundation
Affects:
2.1.X releases prior to 2.1.7
Solution:
2.1.X users: upgrade to 2.1.7
Credit:
This issue was discovered by ch0wn of Orz Lab.