We found results for “”
CVE-2020-13942
Good to know:
Date: November 24, 2020
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
Language: Java
Severity Score
Related Resources (11)
Severity Score
Weakness Type (CWE)
Injection
CWE-74Top Fix
Upgrade Version
Upgrade to version org.apache.unomi:unomi-persistence-elasticsearch-core:1.5.2, org.apache.unomi:unomi-services:1.5.2, org.apache.unomi:unomi-common:1.5.2, org.apache.unomi:unomi-wab:1.5.2, org.apache.unomi:unomi-plugins-base:1.5.2
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |
CVSS v2
Base Score: |
|
---|---|
Access Vector (AV): | NETWORK |
Access Complexity (AC): | LOW |
Authentication (AU): | NONE |
Confidentiality (C): | PARTIAL |
Integrity (I): | PARTIAL |
Availability (A): | PARTIAL |
Additional information: |