| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2020-11975: Remote Code Execution in Apache Unomi |
| |
| Severity: Critical |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache Unomi prior to 1.5.1 |
| |
| Description: |
| |
| Apache Unomi allows conditions to use OGNL scripting which offers the possibility |
| to call static Java classes from the JDK that could execute code with the |
| permission level of the running Java process. |
| |
| This has been fixed in revision: |
| |
| https://git-wip-us.apache.org/repos/asf?p=unomi.git;h=789ae8e820c507866b9c91590feebffa4e996f5e |
| |
| Migration: |
| |
| Apache Unomi users should upgrade to 1.5.1 or later. |
| |
| Credit: This issue was reported by Yiming Xiang of NSFOCUS. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl7XwXcACgkQfBnR+70a |
| sd9XYRAAjHv3p4IZd/Uy+JRS3+i2fgYEDJGVjLpewDeoLp1pCRc8hUTTeKQXgq+E |
| j3YOAbji9rV0fFYyOCQzmMraIDoHzQFt49Oit2gglXnB9fSer5Rk9lOQf1DgaTJz |
| Op1Hf/pTwMrrhUQqe4vNRg9NRp7DYyZkObpeXbZaLRarv/NuYsDEXl9A6xDyRabe |
| 5wLGLep85+OalIhAUAXlI6uLqfzfDbU2jlJgcSpvCstOj9vDpkB+jpZOxi7GsN+X |
| An69bWE+otpE9KlIlhu9GD/lRzzNY8r9DkZXE5Mp24smNm8UYr8GutnYEmAQO09u |
| Mc9H/hRcnTfiJUeG+pXSNQSRJ+FfgK5Lvp9P4cppo481AGwCTLP01uJu8nsJb/46 |
| AlDF4xA+d7D8TlbN6NXm4FUrP1/QhKyvPHfvGjrPjEs0TbirMU9ypwsO4ESh0O8B |
| 6CVDxSKqmBfWjwQ4AYo+Izddsuf9ABSscNRJmfNxMBQZ0MXvGULcboXipVASWjBF |
| HS936RtYJY04SQ0aJuTpuN2c8J6S/P+OGzry2ETWuaE5e3nQXWsUry98GQ/qFrK9 |
| 3Jm1QZiP9dv8epZ6my0k+845+F2W1P8vkzy2QpGbnYsjcf3/f5T6U+Nz/k0skMHZ |
| iFNa6aoDShfbziW3pYqLiAwJ+zEQFvU0B9nSXIeiwZwg9ZqWCxk= |
| =AjB8 |
| -----END PGP SIGNATURE----- |