Apache Unomi security advisories
Security information for Apache Unomi
Reporting
Do you want disclose a potential security issue for Apache Unomi? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Apache Unomi log injection
CVE-2021-31164 [CVE] [CVE json] [OSV json]
Last updated: 2021-05-04T06:40:34.093Z
Affected
- Apache Unomi from Apache Unomi before 1.5.5
Description
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
References
Remote Code Execution in Apache Unomi
CVE-2020-13942 [CVE] [CVE json] [OSV json]
Last updated: 2020-11-24T17:55:44.282Z
Affected
- Apache Unomi from unspecified before 1.5.2
Description
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
References
- http://unomi.apache.org./security/cve-2020-13942.txt