-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2020-13942: Remote Code Execution in Apache Unomi

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache Unomi prior to 1.5.2

Description:

Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility
to call static Java classes from the JDK that could execute code with the
permission level of the running Java process.

This has been fixed in revision:

https://github.com/apache/unomi/commit/0b81ba35dd3c3c2e0a92ce06592b3df90571eced

Migration:

Apache Unomi users should upgrade to 1.5.2 or later.

Credit: This issue was reported by Eugene Rojavski of Checkmarx.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl+uwBcACgkQfBnR+70a
sd8jKxAAkjnC16coiiIkkZ8xVCZVEmga/QRSy2wMM6SYbbWSVjCR6OrpWsaPLLAT
3NLw2xraYrDuNs8WYXm/bZaw3C3Y5B57CB/Lbf+9Vk+8JN9BBecxSDGDv6PGTAjQ
XNFzMuS4g8+GrJ+8iaC+rSiHT0Jj6H4J+5Y2FhvV+KvKWbaJOTIqD1rRL3SUr0A7
qnrrPA3QJEwHsnNIOCcZN18celX5tsxDQkzj7EXnllfjPdY11/rwFDM+PGCrAxER
aFt5lWHuNvRw7FhgGoku/G9CLbCYqIBLrmOhuk6UvG3E9NK3SAQKt24annM92xsy
fSWZrVA+sgnKgU4iRmlJ5oZyQKlkLEIP0Jm6//nQy+yG3kEIWAZHdn/M4Vo5JVTa
Yo3dezgnkQ6RWURAkl9YfN3xEjmSgdlhv4NYoSM6spVeqs1xKO2eAsYLMNoTYUwJ
bTZTtqZsK9ntnLwv+2YpOfiwHjCRFAJGBKQFNA52aCCIVu/NntRlR+QGI8rvYM+U
Rjl1juv3EIc/4EHfNNllAxTTzt5X2rejtkuZaTHnBqL47sj3oMPkSZxkiKA09126
0GEbBgLGpToTlQYBm/53oDqGEaAhFJFStuZg7ndapT785R2HUIwoDVsSB+iRFi80
uqpr6ElD5cEThsX6h5ognp0eMTKa5rRXsXFNPoPp45+XUhwEG7Q=
=m8RZ
-----END PGP SIGNATURE-----