CVE-2020-13942

Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

NVD
Severity: CRITICAL
CVE ID: CVE-2020-13942
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2020-13942

Refrence: Project Discovery GitHub

lp008

Refrence: GitHub

eugenebmx

CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection

Refrence: GitHub

shifa123

CVE-2020-13942 POC + Automation Script

Refrence: GitHub

blackmarketer

Refrence: GitHub

yaunsky

CVE-2020-13942 Apache Unomi 远程代码执行漏洞脚getshell

Refrence: GitHub

hoanx4

Apache Unomi CVE-2020-13942: RCE Vulnerabilities

Refrence: GitHub

Prodrious

Refrence: GitHub

Content on GitHub

1135 | watchers:6

unomi_exploit
CVE-2020-11975 CVE-2020-13942

Refrence: GitHub

zhzyker | watchers:3278

vulmap
Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞验证功能

Refrence: GitHub

Description​

Proof Of Concept​

Content on GitHub​

Description

Proof Of Concept

Content on GitHub