CVE-2020-13942 – org.apache.unomi:unomi

Package

Manager: maven
Name: org.apache.unomi:unomi
Vulnerable Version: >=0 <1.5.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.93797 pctl0.99854

Details

Injection and Improper Input Validation in Apache Unomi It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

Metadata

Created: 2022-02-10T00:30:54Z
Modified: 2021-04-14T18:49:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-xp5j-wj4h-2jq9/GHSA-xp5j-wj4h-2jq9.json
CWE IDs: ["CWE-20", "CWE-74"]
Alternative ID: GHSA-xp5j-wj4h-2jq9
Finding: F184
Auto approve: 1