High severityNVD Advisory· Published Jan 25, 2021· Updated Feb 13, 2025

Apache ServiceComb Yaml remote deserialization vulnerability

CVE-2020-17532

Description

When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.servicecomb:java-chassisMaven	>= 1.0.0, < 1.3.2	1.3.2
org.apache.servicecomb:java-chassisMaven	>= 2.0.0, < 2.1.5	2.1.5

Affected products

ghsa-coords
pkg:maven/org.apache.servicecomb/java-chassis
Range: >= 1.0.0, < 1.3.2
Apache/ServiceComb-Java-Chassiscpe-rescue
Range: Apache ServiceComb-Java-Chassis 2.x 2.0.0 to 2.1.3

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-px4w-rcv2-6x8xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-17532ghsaADVISORY
github.com/apache/servicecomb-java-chassis/commit/839a52e27c754cb5ce14f20063902f21065bd26cghsaWEB
github.com/apache/servicecomb-java-chassis/commit/ba4fb37b6ab8bd3a6c3d0693f295d99a94879838ghsaWEB
issues.apache.org/jira/browse/SCB-2145ghsax_refsource_MISCWEB
seclists.org/oss-sec/2021/q1/60ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000