CVE-2020-11975 — Improper Input Validation in Apache Unomi

Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

How to fix CVE-2020-11975

To remediate CVE-2020-11975, upgrade the affected package to a fixed version below.

Maven/org.apache.unomi:unomi—upgrade to 1.5.4 or later

Is CVE-2020-11975 being exploited?

Likely — EPSS is 83.9%, placing CVE-2020-11975 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 1.5.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-11975
WEBlists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95@%3Ccommits.unomi.apache.org%3E
WEBlists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460@%3Ccommits.unomi.apache.org%3E
WEB