Apache ServiceComb security advisories
Security information for Apache ServiceComb
Reporting
Do you want disclose a potential security issue for Apache ServiceComb? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
attacker can perform SSRF through the frontend API
CVE-2023-44313 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-31T08:49:43.083Z
Affected
- Apache ServiceComb Service-Center through 2.1.0
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.
This issue affects Apache ServiceComb before 2.1.0(include).
Users are recommended to upgrade to version 2.2.0, which fixes the issue.
References
Credits
- 苏 安 suanwell@hotmail.com (finder)
attacker can query all environment variables of the service-center server
CVE-2023-44312 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-31T08:49:10.176Z
Affected
- Apache ServiceComb Service-Center through 2.1.0
Description
Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center.
This issue affects
Apache ServiceComb Service-Center
before 2.1.0 (include).
Users are recommended to upgrade to version 2.2.0, which fixes the issue.
References
Credits
- 苏 安 suanwell@hotmail.com (finder)
ServiceComb ServiceCenter Directory Traversal
CVE-2021-21501 [CVE] [CVE json] [OSV json]
Last updated: 2021-08-10T09:15:53.939Z
Affected
- Apache ServiceComb from Apache ServiceComb-Service-Center 1.x before 2.0.0
Description
Improper configuration will cause ServiceComb ServiceCenter Directory Traversal problem in ServcieCenter 1.x.x versions and fixed in 2.0.0.
References
Apache ServiceComb Yaml remote deserialization vulnerability
CVE-2020-17532 [CVE] [CVE json] [OSV json]
Last updated: 2021-01-25T09:21:23.271Z
Affected
- Apache ServiceComb-Java-Chassis at Apache ServiceComb-Java-Chassis 2.x 2.0.0 to 2.1.3
Description
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5