Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Remediation

References

http://unomi.apache.org/security/cve-2020-11975.txt

https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Related Vulnerabilities

CVE-2023-45280 Vulnerability in maven package org.yamcs:yamcs-core

CVE-2014-7191 Vulnerability in maven package org.webjars:qs

CVE-2023-45143 Vulnerability in maven package org.webjars.npm:undici

CVE-2022-44621 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2023-45279 Vulnerability in maven package org.yamcs:yamcs-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Vendor Advisory NVD-CWE-noinfo