Apache Unomi Expression Language Injection Vulnerability

漏洞信息

漏洞名称： Apache Unomi Expression Language Injection Vulnerability

漏洞编号：

• CVE： CVE-2020-11975

漏洞类型： 代码注入

漏洞等级： 严重

漏洞描述： Apache Unomi是一个开源的客户数据平台（CDP），用于管理在线客户、潜在客户和访问者的数据，广泛应用于企业级服务中，支持个性化营销和客户体验管理。该平台允许通过条件使用OGNL脚本，这为攻击者提供了利用漏洞的机会。漏洞的具体类型为代码注入，其技术根源在于Apache Unomi允许条件使用OGNL脚本，攻击者可以利用这一点调用JDK中的静态Java类，从而以运行Java进程的权限级别执行任意代码。此漏洞的利用需要攻击者能够访问OGNL脚本功能。由于攻击者可以执行任意代码，此漏洞的安全风险极高，可能导致服务器被完全控制，数据泄露，服务中断等严重后果。值得注意的是，利用此漏洞不需要认证，且可以自动化利用，因此其威胁性极大。

产品厂商： Apache

产品名称： Apache Unomi

来源： https://github.com/projectdiscovery/nuclei-templates/issues/12668

类型： projectdiscovery/nuclei-templates:github issues

来源概述

Description:

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, letting attackers execute arbitrary code, exploit requires access to OGNL scripting feature.

Severity: Critical

POC:

• https://vulncheck.com/xdb/49057f538100
• https://github.com/1135/unomi_exploit
• https///github.com:1135/unomi_exploit.git

KEV: True

Shodan Query: NA

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation or can also share a vulnerable environment like docker file.

Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.

You can check the FAQ for the Nuclei Templates Community Rewards Program here.