Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Remediation

References

http://unomi.apache.org/security/cve-2020-11975.txt

https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Related Vulnerabilities

CVE-2020-7751 Vulnerability in npm package pathval

CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2022-24723 Vulnerability in npm package urijs

CVE-2021-41571 Vulnerability in maven package org.apache.pulsar:pulsar

CVE-2023-24807 Vulnerability in maven package org.webjars.npm:undici

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Vendor Advisory NVD-CWE-noinfo