CVE-2020-13942: Remote Code Execution in Apache Unomi

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-13942

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Remote Code Execution in Apache Unomi

Source: NVD (National Vulnerability Database)

Vulnerability Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

输入验证不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache Unomi 注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache Unomi是美国阿帕奇软件（Apache Software）基金会的一套开源的客户数据平台。该平台主要使用Java语言编写。 Apache Unomi 1.5.2之前版本存在注入漏洞，该漏洞源于可以将恶意的OGNL或MVEL脚本注入/context.json公共端点。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache Unomi	unspecified ~ 1.5.2	-

II. Public POCs for CVE-2020-13942

#	POC Description	Source Link	Shenlong Link
1	None	https://github.com/lp008/CVE-2020-13942	POC Details
2	CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection	https://github.com/eugenebmx/CVE-2020-13942	POC Details
3	CVE-2020-13942 POC + Automation Script	https://github.com/shifa123/CVE-2020-13942-POC-	POC Details
4	None	https://github.com/blackmarketer/CVE-2020-13942	POC Details
5	CVE-2020-13942 Apache Unomi 远程代码执行漏洞脚getshell	https://github.com/yaunsky/Unomi-CVE-2020-13942	POC Details
6	Apache Unomi CVE-2020-13942: RCE Vulnerabilities	https://github.com/hoanx4/apche_unomi_rce	POC Details
7	None	https://github.com/Prodrious/CVE-2020-13942	POC Details
8	None	https://github.com/corsisechero/CVE-2020-13942byVulHub	POC Details
9	Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. This vulnerability affects all versions of Apache Unomi prior to 1.5.2.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13942.yaml	POC Details
10	None	https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Apache%20Unomi%20%E8%BF%9C%E7%A8%8B%E8%A1%A8%E8%BE%BE%E5%BC%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2020-13942.md	POC Details
11		https://github.com/vulhub/vulhub/blob/master/unomi/CVE-2020-13942/README.md	POC Details
12	Apache Unomi CVE-2020-13942: RCE Vulnerabilities	https://github.com/dev-team-12x/apche_unomi_rce	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2020-13942

Please Login to view more intelligence information

https://advisory.checkmarx.net/advisory/CX-2020-4284x_refsource_MISC
http://unomi.apache.org./security/cve-2020-13942.txtx_refsource_MISC
https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3Emailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2020/11/24/5mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3Emailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2020-13942

IV. Related Vulnerabilities

Same product: Apache Unomi

Same vendor: Apache Software Foundation

Same weakness: CWE-20

V. Comments for CVE-2020-13942

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2020-13942

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2020-13942

III. Intelligence Information for CVE-2020-13942

IV. Related Vulnerabilities

V. Comments for CVE-2020-13942

Leave a comment