| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2020-13942: Remote Code Execution in Apache Unomi |
| |
| Severity: Critical |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache Unomi prior to 1.5.2 |
| |
| Description: |
| |
| Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility |
| to call static Java classes from the JDK that could execute code with the |
| permission level of the running Java process. |
| |
| This has been fixed in revision: |
| |
| https://github.com/apache/unomi/commit/0b81ba35dd3c3c2e0a92ce06592b3df90571eced |
| |
| Migration: |
| |
| Apache Unomi users should upgrade to 1.5.2 or later. |
| |
| Credit: This issue was reported by Eugene Rojavski of Checkmarx. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl+uwBcACgkQfBnR+70a |
| sd8jKxAAkjnC16coiiIkkZ8xVCZVEmga/QRSy2wMM6SYbbWSVjCR6OrpWsaPLLAT |
| 3NLw2xraYrDuNs8WYXm/bZaw3C3Y5B57CB/Lbf+9Vk+8JN9BBecxSDGDv6PGTAjQ |
| XNFzMuS4g8+GrJ+8iaC+rSiHT0Jj6H4J+5Y2FhvV+KvKWbaJOTIqD1rRL3SUr0A7 |
| qnrrPA3QJEwHsnNIOCcZN18celX5tsxDQkzj7EXnllfjPdY11/rwFDM+PGCrAxER |
| aFt5lWHuNvRw7FhgGoku/G9CLbCYqIBLrmOhuk6UvG3E9NK3SAQKt24annM92xsy |
| fSWZrVA+sgnKgU4iRmlJ5oZyQKlkLEIP0Jm6//nQy+yG3kEIWAZHdn/M4Vo5JVTa |
| Yo3dezgnkQ6RWURAkl9YfN3xEjmSgdlhv4NYoSM6spVeqs1xKO2eAsYLMNoTYUwJ |
| bTZTtqZsK9ntnLwv+2YpOfiwHjCRFAJGBKQFNA52aCCIVu/NntRlR+QGI8rvYM+U |
| Rjl1juv3EIc/4EHfNNllAxTTzt5X2rejtkuZaTHnBqL47sj3oMPkSZxkiKA09126 |
| 0GEbBgLGpToTlQYBm/53oDqGEaAhFJFStuZg7ndapT785R2HUIwoDVsSB+iRFi80 |
| uqpr6ElD5cEThsX6h5ognp0eMTKa5rRXsXFNPoPp45+XUhwEG7Q= |
| =m8RZ |
| -----END PGP SIGNATURE----- |