====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN513
_____________________________________________________________________

DATE                : 15/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Syncope versions 2.1.X prior
                                         to 2.1.7.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202009.mbox/%3cf04bb82f-c85a-b897-633d-b914267c1994@apache.org%3e
_____________________________________________________________________


Description:
When the Flowable extension is enabled, an administrator with workflow
entitlements can use Shell Service Tasks to
perform malicious operations, including but not limited to file read,
file write, and code execution.

Severity: Low

Vendor: The Apache Software Foundation

Affects:
2.1.X releases prior to 2.1.7

Solution:
2.1.X users: upgrade to 2.1.7

Credit:
This issue was discovered by ch0wn of Orz Lab.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================