Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

Remediation

References

http://unomi.apache.org./security/cve-2020-13942.txt

http://www.openwall.com/lists/oss-security/2020/11/24/5

https://advisory.checkmarx.net/advisory/CX-2020-4284

https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E

https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E

https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E

Related Vulnerabilities

CVE-2023-45136 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-24451 Vulnerability in maven package org.jenkins-ci.plugins:cisco-spark-notifier

CVE-2023-1370 Vulnerability in maven package net.minidev:json-smart

CVE-2022-41933 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authentication-default

CVE-2023-26149 Vulnerability in maven package org.webjars.npm:quill-mention

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory Exploit