CVE-2020-13942

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://unomi.apache.org./security/cve-2020-13942.txt	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cdev.unomi.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cusers.unomi.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cdev.unomi.apache.org%3E	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/11/24/5	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f@%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
https://advisory.checkmarx.net/advisory/CX-2020-4284	Exploit Third Party Advisory
https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E	Exploit Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*

Information

Published : 2020-11-24 10:15

Updated : 2021-05-05 06:26

NVD link : CVE-2020-13942

Mitre link : CVE-2020-13942

JSON object : View

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Products Affected

apache

unomi

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://unomi.apache.org./security/cve-2020-13942.txt", "name": "N/A", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cusers.unomi.apache.org%3E", "name": "[unomi-users] 20201124 Apache Unomi 1.5.4 Release", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118@%3Cdev.unomi.apache.org%3E", "name": "[unomi-dev] 20201124 Apache Unomi 1.5.4 Release", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cusers.unomi.apache.org%3E", "name": "[unomi-users] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a@%3Cdev.unomi.apache.org%3E", "name": "[unomi-dev] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2020/11/24/5", "name": "[oss-security] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f@%3Cannounce.apache.org%3E", "name": "[announce] 20201124 CVE-2020-13942: Remote Code Execution in Apache Unomi", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "https://advisory.checkmarx.net/advisory/CX-2020-4284", "name": "https://advisory.checkmarx.net/advisory/CX-2020-4284", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E", "name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-74"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-13942", "ASSIGNER": "security@apache.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2020-11-24T18:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.5.2", "versionStartIncluding": "1.5.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-05-05T13:26Z"}

9.8 /10