Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Remediation

References

http://unomi.apache.org/security/cve-2020-11975.txt

https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Related Vulnerabilities

CVE-2023-29008 Vulnerability in npm package @sveltejs/kit

CVE-2020-8131 Vulnerability in npm package yarn

CVE-2023-39156 Vulnerability in maven package org.jenkins-ci.plugins:bazaar

CVE-2023-37298 Vulnerability in npm package joplin

CVE-2021-41097 Vulnerability in npm package aurelia-path

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Vendor Advisory NVD-CWE-noinfo