{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T12:48:14.148","vulnerabilities":[{"cve":{"id":"CVE-2020-11977","sourceIdentifier":"security@apache.org","published":"2020-09-15T20:15:13.040","lastModified":"2024-11-21T04:59:01.910","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In Apache Syncope 2.1.X releases prior to 2.1.7, when the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited to file read, file write, and code execution."},{"lang":"es","value":"En Apache Syncope versiones 2.1.X anteriores a 2.1.7, cuando la extensión Flowable está habilitada, un administrador con derechos de flujo de trabajo (workflow) puede usar Shell Service Tasks para llevar a cabo operaciones maliciosas, incluyendo pero sin limitarse a una lectura de archivos, una escritura de archivos y una ejecución de código"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:C/I:C/A:C","baseScore":8.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":6.8,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:syncope:*:*:*:*:*:*:*:*","versionStartIncluding":"2.1.0","versionEndExcluding":"2.1.7","matchCriteriaId":"19F75F8C-F0A1-45E6-A900-24A45BE2ACD8"}]}]}],"references":[{"url":"https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"https://syncope.apache.org/security#CVE-2020-11977:_Remote_Code_Execution_via_Flowable_workflow_definition","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}