Description

A context.json endpoint of Apache Unomi is vulnerable to MVEL and OGNL expression injection. An attacker could exploit this vulnerability using a specially-crafted expression to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of Apache Unomi (=> 1.5.2)

References

CVE-2020-13942: Remote Code Execution in Apache Unomi

Related Vulnerabilities

Nette framework PHP code injection via callback

XML external entity injection via File Upload

WordPress Plugin Share Possible Remote Code Execution (1.0)

Play Framework Improper Input Validation Vulnerability (CVE-2015-2156)

Squid Improper Input Validation Vulnerability (CVE-2016-2570)

Severity

High

Classification

CVE-2020-13942 CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Acumonitor Code Execution