You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@unomi.apache.org by sh...@apache.org on 2020/11/13 17:20:13 UTC
[unomi-site] branch master updated: Add new CVE entry
This is an automated email from the ASF dual-hosted git repository.
shuber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/unomi-site.git
The following commit(s) were added to refs/heads/master by this push:
new e2f9894 Add new CVE entry
e2f9894 is described below
commit e2f9894d503b104b7ac9fc5db6947febf7928794
Author: Serge Huber <sh...@jahia.com>
AuthorDate: Fri Nov 13 18:19:59 2020 +0100
Add new CVE entry
---
src/main/webapp/security/cve-2020-13942.txt | 44 +++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/src/main/webapp/security/cve-2020-13942.txt b/src/main/webapp/security/cve-2020-13942.txt
new file mode 100644
index 0000000..d2ee61f
--- /dev/null
+++ b/src/main/webapp/security/cve-2020-13942.txt
@@ -0,0 +1,44 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2020-13942: Remote Code Execution in Apache Unomi
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Unomi prior to 1.5.2
+
+Description:
+
+Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility
+to call static Java classes from the JDK that could execute code with the
+permission level of the running Java process.
+
+This has been fixed in revision:
+
+https://github.com/apache/unomi/commit/0b81ba35dd3c3c2e0a92ce06592b3df90571eced
+
+Migration:
+
+Apache Unomi users should upgrade to 1.5.2 or later.
+
+Credit: This issue was reported by Eugene Rojavski of Checkmarx.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl+uwBcACgkQfBnR+70a
+sd8jKxAAkjnC16coiiIkkZ8xVCZVEmga/QRSy2wMM6SYbbWSVjCR6OrpWsaPLLAT
+3NLw2xraYrDuNs8WYXm/bZaw3C3Y5B57CB/Lbf+9Vk+8JN9BBecxSDGDv6PGTAjQ
+XNFzMuS4g8+GrJ+8iaC+rSiHT0Jj6H4J+5Y2FhvV+KvKWbaJOTIqD1rRL3SUr0A7
+qnrrPA3QJEwHsnNIOCcZN18celX5tsxDQkzj7EXnllfjPdY11/rwFDM+PGCrAxER
+aFt5lWHuNvRw7FhgGoku/G9CLbCYqIBLrmOhuk6UvG3E9NK3SAQKt24annM92xsy
+fSWZrVA+sgnKgU4iRmlJ5oZyQKlkLEIP0Jm6//nQy+yG3kEIWAZHdn/M4Vo5JVTa
+Yo3dezgnkQ6RWURAkl9YfN3xEjmSgdlhv4NYoSM6spVeqs1xKO2eAsYLMNoTYUwJ
+bTZTtqZsK9ntnLwv+2YpOfiwHjCRFAJGBKQFNA52aCCIVu/NntRlR+QGI8rvYM+U
+Rjl1juv3EIc/4EHfNNllAxTTzt5X2rejtkuZaTHnBqL47sj3oMPkSZxkiKA09126
+0GEbBgLGpToTlQYBm/53oDqGEaAhFJFStuZg7ndapT785R2HUIwoDVsSB+iRFi80
+uqpr6ElD5cEThsX6h5ognp0eMTKa5rRXsXFNPoPp45+XUhwEG7Q=
+=m8RZ
+-----END PGP SIGNATURE-----