Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-11975

CWE-20Improper Input Validation6 documents6 sources
Severity
9.8CRITICAL
EPSS
87.6%
top 0.54%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Unomi
Timeline
PublishedJun 5
Latest updateFeb 9

Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/unomi< 1.5.1
Mavenorg.apache.unomi:unomi< 1.5.4
CVEListV5apache_unomiApache Unomi 1.0.0 to 1.5.0

Patches

Patch: unomi.apache.orgPatch: unomi.apache.org

🔴Vulnerability Details

4
OSV
Improper Input Validation in Apache Unomi2022-02-09
GHSA
Improper Input Validation in Apache Unomi2022-02-09
CVEList
CVE-2020-11975: Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code wit2020-06-05
VulnCheck
Apache Unomi OGNL Scripting Vulnerability2020

💥Exploits & PoCs

1
Nuclei
Apache Unomi - Remote Code Execution
CVE-2020-11975 (CRITICAL CVSS 9.8) | Apache Unomi allows conditions to u | cvebase.io