Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

Remediation

References

http://unomi.apache.org./security/cve-2020-13942.txt

http://www.openwall.com/lists/oss-security/2020/11/24/5

https://advisory.checkmarx.net/advisory/CX-2020-4284

https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E

https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E

https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E

Related Vulnerabilities

CVE-2019-10332 Vulnerability in maven package org.jenkins-ci.plugins:electricflow

CVE-2021-46366 Vulnerability in maven package info.magnolia:magnolia-core

CVE-2023-22580 Vulnerability in npm package @sequelize/core

CVE-2020-14326 Vulnerability in maven package org.jboss.resteasy:resteasy-core

CVE-2023-49653 Vulnerability in maven package org.jenkins-ci.plugins:jira

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory Exploit