[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-13942: Remote Code Execution in Apache Unomi
From:       Serge Huber <shuber () apache ! org>
Date:       2020-11-24 17:12:36
Message-ID: CACR6SAXDk+Ronjh8KQ91q2W4FpiOmiJyjkUe9v4o9L8Bvkhvvw () mail ! gmail ! com
[Download RAW message or body]


Description:

It is possible to inject malicious OGNL or MVEL scripts into the
/context.json public endpoint. This was partially fixed in 1.5.1 but a
new attack vector was found. In version 1.5.2 scripts are now
completely filtered from the input. It is highly recommended to
upgrade to the latest available version of the 1.5.x release to fix
this problem.
References:

http://unomi.apache.org./security/cve-2020-13942.txt


[prev in list] [next in list] [prev in thread] [next in thread]