Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Remediation

References

http://unomi.apache.org/security/cve-2020-11975.txt

https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Related Vulnerabilities

CVE-2020-1960 Vulnerability in maven package org.apache.flink:flink-metrics-core

CVE-2016-1000346 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2021-27405 Vulnerability in npm package @progfay/scrapbox-parser

CVE-2023-29520 Vulnerability in maven package org.xwiki.platform:xwiki-platform-localization-source-wiki

CVE-2022-29253 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Vendor Advisory NVD-CWE-noinfo