cnvd - cnvd-2020-35958

cnvd-2020-35958

Vulnerability from cnvd

Title: Apache Unomi输入验证错误漏洞

Description:

Apache Unomi是美国阿帕奇软件（Apache Software）基金会的一套开源的客户数据平台。该平台主要使用Java语言编写。

Apache Unomi 1.5.1之前版本中存在安全漏洞。攻击者可利用该漏洞执行代码。

Severity: 高

Patch Name: Apache Unomi输入验证错误漏洞的补丁

Patch Description:

Apache Unomi是美国阿帕奇软件（Apache Software）基金会的一套开源的客户数据平台。该平台主要使用Java语言编写。

Apache Unomi 1.5.1之前版本中存在安全漏洞。攻击者可利用该漏洞执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://unomi.apache.org/security/cve-2020-11975.txt

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-11975

Impacted products

Name
Apache Unomi <1.5.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-11975"
    }
  },
  "description": "Apache Unomi\u662f\u7f8e\u56fd\u963f\u5e15\u5947\u8f6f\u4ef6\uff08Apache Software\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5ba2\u6237\u6570\u636e\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u3002\n\nApache Unomi 1.5.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://unomi.apache.org/security/cve-2020-11975.txt",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-35958",
  "openTime": "2020-07-02",
  "patchDescription": "Apache Unomi\u662f\u7f8e\u56fd\u963f\u5e15\u5947\u8f6f\u4ef6\uff08Apache Software\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5ba2\u6237\u6570\u636e\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u3002\r\n\r\nApache Unomi 1.5.1\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Unomi\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Unomi \u003c1.5.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-11975",
  "serverity": "\u9ad8",
  "submitTime": "2020-06-08",
  "title": "Apache Unomi\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2020-11975 (GCVE-0-2020-11975)

Vulnerability from cvelistv5

Published

2020-06-05 14:10

Modified

2024-08-04 11:48

Severity ?

CWE

Remote Code Execution

Summary

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

References

▼	URL	Tags
	http://unomi.apache.org/security/cve-2020-11975.txt	x_refsource_MISC
	https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	Apache Unomi	Version: Apache Unomi 1.0.0 to 1.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.089Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://unomi.apache.org/security/cve-2020-11975.txt"
          },
          {
            "name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
          },
          {
            "name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Unomi",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Unomi 1.0.0 to 1.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-28T09:06:12",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://unomi.apache.org/security/cve-2020-11975.txt"
        },
        {
          "name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E"
        },
        {
          "name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-11975",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Unomi",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Unomi 1.0.0 to 1.5.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://unomi.apache.org/security/cve-2020-11975.txt",
              "refsource": "MISC",
              "url": "http://unomi.apache.org/security/cve-2020-11975.txt"
            },
            {
              "name": "[unomi-commits] 20201113 svn commit: r1883398 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2020-13942.txt",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95@%3Ccommits.unomi.apache.org%3E"
            },
            {
              "name": "[unomi-commits] 20210428 svn commit: r1889256 - in /unomi/website: contribute-release-guide.html documentation.html download.html index.html security/cve-2021-31164.txt",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-11975",
    "datePublished": "2020-06-05T14:10:57",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-08-04T11:48:57.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted