CVE-2020-11975

🗓️ 05 Jun 2020 14:10:57Reported by apacheType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 137 Views🌐 WEB

Apache Unomi allows OGNL scripting, leading to code execution

Reporter	Title	Published	Views	Family All 18
GithubExploit	Exploit for Improper Input Validation in Apache Unomi	11 Jan 202115:50	–	githubexploit
GithubExploit	Exploit for CVE-2020-11975	24 Nov 202005:23	–	githubexploit
GithubExploit	Exploit for Improper Input Validation in Apache Unomi	19 Nov 202008:22	–	githubexploit
Circl	CVE-2020-11975	22 Jul 202503:54	–	circl
CNVD	Apache Unomi Input Validation Error Vulnerability	8 Jun 202000:00	–	cnvd
Cvelist	CVE-2020-11975	5 Jun 202014:10	–	cvelist
Github Security Blog	Improper Input Validation in Apache Unomi	9 Feb 202223:20	–	github
Nuclei	Apache Unomi - Remote Code Execution	6 Jun 202603:01	–	nuclei
NVD	CVE-2020-11975	5 Jun 202015:15	–	nvd
OSV	CVE-2020-11975	5 Jun 202015:15	–	osv

NVD

Vulners

Node

apache unomiRange<1.5.1

[
  {
    "product": "Apache Unomi",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Unomi 1.0.0 to 1.5.0"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E
lists	www.lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E
unomi	www.unomi.apache.org/security/cve-2020-11975.txt

Parameter	Position	Path	Description	CWE
filters[0].filters[0].condition.parameterValues.[empty-string]	request body	context.json	MVEL injection in request body leading to RCE via script payload	CWE-94
personalizations[0].contents[0].filters[0].condition.parameterValues.propertyName	request body	context.json	OGNL injection in request body via propertyName containing OGNL expression for RCE	CWE-94

21 Nov 2024 04:59Current

9.2High risk

Vulners AI Score9.2

CVSS 3.19.8

CVSS 210

EPSS0.83929