Description
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
Remediation
References
http://unomi.apache.org/security/cve-2020-11975.txt
https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E
https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E
Related Vulnerabilities
CVE-2017-5651 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2011-5063 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2019-0230 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2023-40312 Vulnerability in maven package org.opennms:opennms-webapp