Improper input validation in Apache Software Foundation Unomi
CVE-2020-13942
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.943 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Unomi — versions unspecified
Weakness classification (CWE)
Public proof-of-concept exploits
References
- unomi.apache.org./security/cve-2020-13942.txt (x_refsource_MISC)
- [unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi (mailing-list, x_refsource_MLIST)
- [unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi (mailing-list, x_refsource_MLIST)
- [unomi-users] 20201124 Apache Unomi 1.5.4 Release (mailing-list, x_refsource_MLIST)
- [unomi-dev] 20201124 Apache Unomi 1.5.4 Release (mailing-list, x_refsource_MLIST)
- [oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi (mailing-list, x_refsource_MLIST)
- [announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi (mailing-list, x_refsource_MLIST)
- advisory.checkmarx.net/advisory/CX-2020-4284 (x_refsource_MISC)
- [unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-13942?
- CVE-2020-13942 is a vulnerability in Apache Software Foundation Unomi, classified under Improper Input Validation. Published 2020-11-24.
- Is CVE-2020-13942 known to be exploited?
- 50 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.