Description

A context.json endpoint of Apache Unomi is vulnerable to MVEL and OGNL expression injection. An attacker could exploit this vulnerability using a specially-crafted expression to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Apache Unomi (=> 1.5.2)

References

CVE-2020-13942: Remote Code Execution in Apache Unomi

Related Vulnerabilities

ColdFusion AMF Deserialization RCE

Oracle WebLogic Remote Code Execution via IIOP

WordPress Plugin Uploadify Remote File Upload (1.0)

Apache Solr Parameter Injection

Paperclip gem SSRF (Server side request forgery)

Severity

High

Classification

CVE-2020-13942 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Acumonitor