Published: 24/11/2020 Updated: 03/12/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apache Unomi could allow a remote malicious user to execute arbitrary code on the system, caused by a scripting security issue when using OGNL and MVEL. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the permission level of the running Java process.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache unomi

Mailing Lists

Description: It is possible to inject malicious OGNL or MVEL scripts into the /contextjson public endpoint This was partially fixed in 151 but a new attack vector was found In version 152 scripts are now completely filtered from the input It is highly recommended to upgrade to the latest available version of the 15x release to fix this p ...

Github Repositories

CVE-2020-13942 Apache Unomi pre-auth RCE CVE-2020-13942 exploit POST /contextjson HTTP/11 Host: xxxx User-Agent: Mozilla/50 (Windows NT 100; WOW64) AppleWebKit/53736 (KHTML, like Gecko) Chrome/720362681 Safari/53736 SE 2X MetaSr 10 Content-Type: application/json Content-Length: 200 {"filters":[{"id" : "test","filters": [{&qu

CVE-2020-13942 POC + Automation Script

CVE-2020-13942 POC + Automation Script Steps Step 1 : Enumerate all target subdomains for your fav bug bounty program Step 2 : Put them in the targetstxt file Step 3 : Run the Script Step 4 : If you find a vulnerable target, Dont forget to mention me :)

CVE-2020-13942 Run httpx or httprob on the targets before using the script USAGE /CVE-2020-13942sh targettxt Credit This script was made from Rohit Gautam

CVE-2020-13942 POC through OGNL injection

CVE-2020-13942 CVE-2020-13942 POC through OGNL injection

CVE-2020-11975 CVE-2020-13942

unomi_exploit CVE-2020-11975 CVE-2020-13942