src/main/webapp/security/cve-2020-11975.txt - unomi-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 CVE-2020-11975: Remote Code Execution in Apache Unomi

 Severity: Critical

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects all versions of Apache Unomi prior to 1.5.1

 Description:

 Apache Unomi allows conditions to use OGNL scripting which offers the possibility
 to call static Java classes from the JDK that could execute code with the
 permission level of the running Java process.

 This has been fixed in revision:

 https://git-wip-us.apache.org/repos/asf?p=unomi.git;h=789ae8e820c507866b9c91590feebffa4e996f5e

 Migration:

 Apache Unomi users should upgrade to 1.5.1 or later.

 Credit: This issue was reported by Yiming Xiang of NSFOCUS.
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl7XwXcACgkQfBnR+70a
 sd9XYRAAjHv3p4IZd/Uy+JRS3+i2fgYEDJGVjLpewDeoLp1pCRc8hUTTeKQXgq+E
 j3YOAbji9rV0fFYyOCQzmMraIDoHzQFt49Oit2gglXnB9fSer5Rk9lOQf1DgaTJz
 Op1Hf/pTwMrrhUQqe4vNRg9NRp7DYyZkObpeXbZaLRarv/NuYsDEXl9A6xDyRabe
 5wLGLep85+OalIhAUAXlI6uLqfzfDbU2jlJgcSpvCstOj9vDpkB+jpZOxi7GsN+X
 An69bWE+otpE9KlIlhu9GD/lRzzNY8r9DkZXE5Mp24smNm8UYr8GutnYEmAQO09u
 Mc9H/hRcnTfiJUeG+pXSNQSRJ+FfgK5Lvp9P4cppo481AGwCTLP01uJu8nsJb/46
 AlDF4xA+d7D8TlbN6NXm4FUrP1/QhKyvPHfvGjrPjEs0TbirMU9ypwsO4ESh0O8B
 6CVDxSKqmBfWjwQ4AYo+Izddsuf9ABSscNRJmfNxMBQZ0MXvGULcboXipVASWjBF
 HS936RtYJY04SQ0aJuTpuN2c8J6S/P+OGzry2ETWuaE5e3nQXWsUry98GQ/qFrK9
 3Jm1QZiP9dv8epZ6my0k+845+F2W1P8vkzy2QpGbnYsjcf3/f5T6U+Nz/k0skMHZ
 iFNa6aoDShfbziW3pYqLiAwJ+zEQFvU0B9nSXIeiwZwg9ZqWCxk=
 =AjB8
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	CVE-2020-11975: Remote Code Execution in Apache Unomi

	Severity: Critical

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects all versions of Apache Unomi prior to 1.5.1

	Description:

	Apache Unomi allows conditions to use OGNL scripting which offers the possibility
	to call static Java classes from the JDK that could execute code with the
	permission level of the running Java process.

	This has been fixed in revision:

	https://git-wip-us.apache.org/repos/asf?p=unomi.git;h=789ae8e820c507866b9c91590feebffa4e996f5e

	Migration:

	Apache Unomi users should upgrade to 1.5.1 or later.

	Credit: This issue was reported by Yiming Xiang of NSFOCUS.
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl7XwXcACgkQfBnR+70a
	sd9XYRAAjHv3p4IZd/Uy+JRS3+i2fgYEDJGVjLpewDeoLp1pCRc8hUTTeKQXgq+E
	j3YOAbji9rV0fFYyOCQzmMraIDoHzQFt49Oit2gglXnB9fSer5Rk9lOQf1DgaTJz
	Op1Hf/pTwMrrhUQqe4vNRg9NRp7DYyZkObpeXbZaLRarv/NuYsDEXl9A6xDyRabe
	5wLGLep85+OalIhAUAXlI6uLqfzfDbU2jlJgcSpvCstOj9vDpkB+jpZOxi7GsN+X
	An69bWE+otpE9KlIlhu9GD/lRzzNY8r9DkZXE5Mp24smNm8UYr8GutnYEmAQO09u
	Mc9H/hRcnTfiJUeG+pXSNQSRJ+FfgK5Lvp9P4cppo481AGwCTLP01uJu8nsJb/46
	AlDF4xA+d7D8TlbN6NXm4FUrP1/QhKyvPHfvGjrPjEs0TbirMU9ypwsO4ESh0O8B
	6CVDxSKqmBfWjwQ4AYo+Izddsuf9ABSscNRJmfNxMBQZ0MXvGULcboXipVASWjBF
	HS936RtYJY04SQ0aJuTpuN2c8J6S/P+OGzry2ETWuaE5e3nQXWsUry98GQ/qFrK9
	3Jm1QZiP9dv8epZ6my0k+845+F2W1P8vkzy2QpGbnYsjcf3/f5T6U+Nz/k0skMHZ
	iFNa6aoDShfbziW3pYqLiAwJ+zEQFvU0B9nSXIeiwZwg9ZqWCxk=
	=AjB8
	-----END PGP SIGNATURE-----