Vulnerabilites related to apache - unomi
cve-2020-13942
Vulnerability from cvelistv5
Published
2020-11-24 18:00
Modified
2025-02-13 16:27
Severity ?
EPSS score ?
Summary
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Unomi |
Version: unspecified < 1.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Unomi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-04T12:34:05.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution in Apache Unomi",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13942",
"STATE": "PUBLIC",
"TITLE": "Remote Code Execution in Apache Unomi"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Unomi",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.5.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://unomi.apache.org./security/cve-2020-13942.txt",
"refsource": "MISC",
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cdev.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E"
},
{
"name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cdev.unomi.apache.org%3E"
},
{
"name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f@%3Cannounce.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2020-4284",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13942",
"datePublished": "2020-11-24T18:00:16.000Z",
"dateReserved": "2020-06-08T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:30.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31164
Vulnerability from cvelistv5
Published
2021-05-04 06:55
Modified
2024-08-03 22:55
Severity ?
EPSS score ?
Summary
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
References
| ▼ | URL | Tags |
|---|---|---|
| http://unomi.apache.org/security/cve-2021-31164 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Unomi |
Version: Apache Unomi < 1.5.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Unomi",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.5",
"status": "affected",
"version": "Apache Unomi",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-04T06:55:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Unomi log injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-31164",
"STATE": "PUBLIC",
"TITLE": "Apache Unomi log injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Unomi",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Unomi",
"version_value": "1.5.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://unomi.apache.org/security/cve-2021-31164",
"refsource": "MISC",
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-31164",
"datePublished": "2021-05-04T06:55:12",
"dateReserved": "2021-04-14T00:00:00",
"dateUpdated": "2024-08-03T22:55:53.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11975
Vulnerability from cvelistv5
Published
2020-06-05 14:10
Modified
2024-08-04 11:48
Severity ?
EPSS score ?
Summary
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
References
| ▼ | URL | Tags |
|---|---|---|
| http://unomi.apache.org/security/cve-2020-11975.txt | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Unomi |
Version: Apache Unomi 1.0.0 to 1.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.089Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://unomi.apache.org/security/cve-2020-11975.txt"
},
{
"name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Unomi",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Unomi 1.0.0 to 1.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-28T09:06:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://unomi.apache.org/security/cve-2020-11975.txt"
},
{
"name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11975",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Unomi",
"version": {
"version_data": [
{
"version_value": "Apache Unomi 1.0.0 to 1.5.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://unomi.apache.org/security/cve-2020-11975.txt",
"refsource": "MISC",
"url": "http://unomi.apache.org/security/cve-2020-11975.txt"
},
{
"name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95@%3Ccommits.unomi.apache.org%3E"
},
{
"name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11975",
"datePublished": "2020-06-05T14:10:57",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-05-04 07:15
Modified
2024-11-21 06:05
Severity ?
Summary
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://unomi.apache.org/security/cve-2021-31164 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://unomi.apache.org/security/cve-2021-31164 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3B79510-E504-4FC0-BB9E-59F0ECE5653F",
"versionEndExcluding": "1.5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements."
},
{
"lang": "es",
"value": "Apache Unomi versiones anteriores a 1.5.5, permite la inyecci\u00f3n de registros CRLF debido a una falta de escape en las sentencias de registro"
}
],
"id": "CVE-2021-31164",
"lastModified": "2024-11-21T06:05:12.827",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-04T07:15:07.803",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://unomi.apache.org/security/cve-2021-31164"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-93"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-05 15:15
Modified
2024-11-21 04:59
Severity ?
Summary
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D22797F3-D4EB-47FB-83FA-775BCCB93279",
"versionEndExcluding": "1.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process."
},
{
"lang": "es",
"value": "Apache Unomi, permite condiciones para usar scripting de OGNL que ofrece la posibilidad de llamar a clases est\u00e1ticas de Java desde el JDK que podr\u00edan ejecutar c\u00f3digo con el nivel de permiso del proceso Java en ejecuci\u00f3n"
}
],
"id": "CVE-2020-11975",
"lastModified": "2024-11-21T04:59:01.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-05T15:15:10.723",
"references": [
{
"source": "security@apache.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://unomi.apache.org/security/cve-2020-11975.txt"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://unomi.apache.org/security/cve-2020-11975.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-24 18:15
Modified
2024-11-21 05:02
Severity ?
Summary
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB764717-9346-4749-95B0-F77ABFA61841",
"versionEndExcluding": "1.5.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."
},
{
"lang": "es",
"value": "Es posible inyectar scripts OGNL o MVEL maliciosos en el endpoint p\u00fablico /context.json.\u0026#xa0;Esto fue parcialmente corregido en la versi\u00f3n 1.5.1, pero un nuevo vector de ataque fue encontrado.\u0026#xa0;En Apache Unomi versi\u00f3n 1.5.2, los scripts ahora est\u00e1n completamente filtrados de la entrada.\u0026#xa0;Se recomienda altamente actualizar a la \u00faltima versi\u00f3n disponible de la versi\u00f3n 1.5.x para corregir este problema"
}
],
"id": "CVE-2020-13942",
"lastModified": "2024-11-21T05:02:11.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-24T18:15:11.910",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://unomi.apache.org./security/cve-2020-13942.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}