CVE-2020-13942

Name of the Vulnerable Software and Affected Versions Apache Unomi versions prior to 1.5.2

Description It is possible to inject malicious OGNL or MVEL scripts into the "/context.json" public endpoint. This issue was partially fixed in version 1.5.1, but a new attack vector was discovered. In Apache Unomi version 1.5.2, scripts are now completely filtered from the input.

Recommendations For versions prior to 1.5.2, upgrade to the latest available version of the 1.5.x release to fix this problem. As a temporary workaround, consider restricting access to the "/context.json" endpoint until a patch is available.