CVE-2020-13942: Remote Code Execution in Apache Unomi
First published: Tue Nov 24 2020(Updated: )
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Unomi | >=1.5.0<1.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://unomi.apache.org./security/cve-2020-13942.txt
- http://www.openwall.com/lists/oss-security/2020/11/24/5
- https://advisory.checkmarx.net/advisory/CX-2020-4284
- https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cdev.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cdev.unomi.apache.org%3E
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E
Frequently Asked Questions
What is CVE-2020-13942?
CVE-2020-13942 is a vulnerability in Apache Unomi where it is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint.
How severe is CVE-2020-13942?
CVE-2020-13942 has a severity rating of 9.8 (Critical).
How can I fix CVE-2020-13942?
To fix CVE-2020-13942, it is highly recommended to upgrade to the latest available version of Apache Unomi (1.5.2).
Where can I find more information about CVE-2020-13942?
You can find more information about CVE-2020-13942 on the Apache Unomi website (http://unomi.apache.org./security/cve-2020-13942.txt) and the Openwall mailing list (http://www.openwall.com/lists/oss-security/2020/11/24/5).
What are the Common Weakness Enumeration (CWE) identifiers associated with CVE-2020-13942?
CVE-2020-13942 is associated with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-20 (Improper Input Validation).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/apache
- canonical/apache unomi
- version/apache unomi/1.5.0