Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Remediation

References

http://unomi.apache.org/security/cve-2020-11975.txt

https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Related Vulnerabilities

CVE-2023-24807 Vulnerability in maven package org.webjars.npm:undici

CVE-2023-27987 Vulnerability in maven package org.apache.linkis:linkis-cs-client

CVE-2023-31066 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2023-37462 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-ui

CVE-2014-7191 Vulnerability in maven package org.webjars:qs

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Vendor Advisory NVD-CWE-noinfo