Apache ServiceComb security advisories

Security information for Apache ServiceComb

Reporting

Do you want disclose a potential security issue for Apache ServiceComb? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

attacker can perform SSRF through the frontend API

CVE-2023-44313 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-31T08:49:43.083Z

Affected

  • Apache ServiceComb Service-Center through 2.1.0

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.

This issue affects Apache ServiceComb before 2.1.0(include).

Users are recommended to upgrade to version 2.2.0, which fixes the issue.

References

Credits

attacker can query all environment variables of the service-center server

CVE-2023-44312 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-31T08:49:10.176Z

Affected

  • Apache ServiceComb Service-Center through 2.1.0

Description

Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center.

This issue affects

Apache ServiceComb Service-Center

before 2.1.0 (include).

Users are recommended to upgrade to version 2.2.0, which fixes the issue.

References

Credits

ServiceComb ServiceCenter Directory Traversal

CVE-2021-21501 [CVE] [CVE json] [OSV json]

Last updated: 2021-08-10T09:15:53.939Z

Affected

  • Apache ServiceComb from Apache ServiceComb-Service-Center 1.x before 2.0.0

Description

Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.

References

Apache ServiceComb Yaml remote deserialization vulnerability

CVE-2020-17532 [CVE] [CVE json] [OSV json]

Last updated: 2021-01-25T09:21:23.271Z

Affected

  • Apache ServiceComb-Java-Chassis at Apache ServiceComb-Java-Chassis 2.x 2.0.0 to 2.1.3

Description

When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

References