Описание
Arbitrary code execution in Apache ServiceComb java-chassis
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-17532
- https://github.com/apache/servicecomb-java-chassis/commit/839a52e27c754cb5ce14f20063902f21065bd26c
- https://github.com/apache/servicecomb-java-chassis/commit/ba4fb37b6ab8bd3a6c3d0693f295d99a94879838
- https://issues.apache.org/jira/browse/SCB-2145
- https://seclists.org/oss-sec/2021/q1/60
Пакеты
Наименование
org.apache.servicecomb:java-chassis
maven
Затронутые версииВерсия исправления
>= 1.0.0, < 1.3.2
1.3.2
Наименование
org.apache.servicecomb:java-chassis
maven
Затронутые версииВерсия исправления
>= 2.0.0, < 2.1.5
2.1.5
Связанные уязвимости
CVSS3: 8.8
nvd
около 5 лет назад
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5