Skip to main content

Syncope CVE-2020-11977

HIGH
2020-09-15 security@apache.org
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 15, 2020 - 20:15 nvd
HIGH 7.2

DescriptionNVD

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution.

AnalysisAI

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution. Affected products include: Apache Syncope. Version information: prior to 2.1.7.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-1321 HIGH POC
7.2 Mar 20

An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and un

CVE-2020-1961 CRITICAL
9.8 May 04

Vulnerability to Server-Side Template Injection on Mail templates for Apache Syncope 2.0.X releases prior to 2.0.15, 2.1

CVE-2020-1959 CRITICAL
9.8 May 04

A Server-Side Template Injection was identified in Apache Syncope prior to 2.1.6 enabling attackers to inject arbitrary

CVE-2018-1322 MEDIUM POC
4.9 Mar 20

An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupporte

CVE-2018-17186 HIGH
7.2 Nov 06

An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not li

CVE-2026-23794 MEDIUM
6.8 Feb 03

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a maliciou

CVE-2014-0111 MEDIUM
6.5 Apr 17

Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via

CVE-2024-45031 MEDIUM
6.1 Oct 24

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. Rated mediu

CVE-2024-38503 MEDIUM
5.4 Jul 22

When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could le

CVE-2018-17184 MEDIUM
5.4 Nov 06

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements

CVE-2014-3503 MEDIUM
5.0 Jul 11

Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attack

CVE-2026-23795 MEDIUM
4.9 Feb 03

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Share

CVE-2020-11977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy