CVE-2020-17532

HIGH

Apache ServiceComb-Java-Chassis <2.1.4 - Authenticated RCE

Title source: llm

Description

When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

References (2)

[Mailing List, Patch, Vendor Advisory] https://issues.apache.org/jira/browse/SCB-2145

[Mailing List, Third Party Advisory] https://seclists.org/oss-sec/2021/q1/60

Scores

CVSS v3 8.8

EPSS 0.0285

EPSS Percentile 86.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (2)

apache/java_chassis < 2.1.5

org.apache.servicecomb/java-chassis < 1.3.2Maven

Timeline

Published Jan 25, 2021

Tracked Since Feb 18, 2026