Vulnerabilities > CVE-2020-17532 - Deserialization of Untrusted Data vulnerability in Apache Java Chassis

CVSS 6.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

apache

CWE-502

NVD

Published: 2021-01-25

Updated: 2021-01-29

Summary

When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Java Chassis *	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://issues.apache.org/jira/browse/SCB-2145
https://seclists.org/oss-sec/2021/q1/60