Vulnerabilites related to Apache Software Foundation - Apache Unomi
cve-2020-13942
Vulnerability from cvelistv5
Published
2020-11-24 18:00
Modified
2025-02-13 16:27
Severity ?
EPSS score ?
Summary
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Unomi |
Version: unspecified < 1.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Unomi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T12:34:05.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in Apache Unomi",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13942",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in Apache Unomi"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Unomi",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.5.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://unomi.apache.org./security/cve-2020-13942.txt",
"refsource": "MISC",
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f@%3Cannounce.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2020-4284",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13942",
"datePublished": "2020-11-24T18:00:16.000Z",
"dateReserved": "2020-06-08T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:30.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31164
Vulnerability from cvelistv5
Published
2021-05-04 06:55
Modified
2024-08-03 22:55
Severity ?
EPSS score ?
Summary
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
References
| ▼ | URL | Tags |
|---|---|---|
| http://unomi.apache.org/security/cve-2021-31164 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Unomi |
Version: Apache Unomi < 1.5.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Unomi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.5",
"status": "affected",
"version": "Apache Unomi",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-04T06:55:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Unomi log injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31164",
"STATE": "PUBLIC",
"TITLE": "Apache Unomi log injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Unomi",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Unomi",
"version_value": "1.5.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://unomi.apache.org/security/cve-2021-31164",
"refsource": "MISC",
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31164",
"datePublished": "2021-05-04T06:55:12",
"dateReserved": "2021-04-14T00:00:00",
"dateUpdated": "2024-08-03T22:55:53.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}