====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN640
_____________________________________________________________________

DATE                : 24/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Unomi versions prior to
                                        1.5.2.

=====================================================================
http://unomi.apache.org./security/cve-2020-13942.txt
_____________________________________________________________________

CVE-2020-13942: Remote Code Execution in Apache Unomi

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache Unomi prior to 1.5.2

Description:

Apache Unomi allows conditions to use OGNL and MVEL scripting which
offers the possibility to call static Java classes from the JDK that
could execute code with the permission level of the running Java
process.

This has been fixed in revision:

https://github.com/apache/unomi/commit/0b81ba35dd3c3c2e0a92ce06592b3df90571eced


Migration:

Apache Unomi users should upgrade to 1.5.2 or later.

Credit: This issue was reported by Eugene Rojavski of Checkmarx.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================