CVE-2020-17532
HIGHApache ServiceComb-Java-Chassis <2.1.4 - Authenticated RCE
Title source: llmDescription
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
References (2)
Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/oss-sec/2021/q1/60
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/SCB-2145
Scores
CVSS v3
8.8
EPSS
0.0285
EPSS Percentile
86.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-20
Status
published
Products (2)
apache/java_chassis
2.0.0 - 2.1.5
org.apache.servicecomb/java-chassis
1.0.0 - 1.3.2Maven
Published
Jan 25, 2021
Tracked Since
Feb 18, 2026