====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN315
_____________________________________________________________________

DATE                : 08/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Unomi versions prior to
                                          1.5.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/unomi-users/202006.mbox/%3cCACR6SAUSnrnAP6YgOYC6QVQK9MJXDhWedNcxTHFBRK1kWjD6dg@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-11975: Remote Code Execution in Apache Unomi

Severity: Critical

Vendor: The Apache Software Foundation


Versions Affected:

This vulnerability affects all versions of Apache Unomi prior to 1.5.1


Description:

Apache Unomi allows conditions to use OGNL scripting which offers the
possibility to call static Java classes from the JDK that could execute
code with the permission level of the running Java process.

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=unomi.git;h=789ae8e820c507866b9c91590feebffa4e996f5e


Migration:

Apache Unomi users should upgrade to 1.5.1 or later.

Credit: This issue was reported by Yiming Xiang of NSFOCUS.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================