Apache Unomi security advisories

Security information for Apache Unomi

Reporting

Do you want disclose a potential security issue for Apache Unomi? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Apache Unomi log injection

CVE-2021-31164 [CVE] [CVE json] [OSV json]

Last updated: 2021-05-04T06:40:34.093Z

Affected

  • Apache Unomi from Apache Unomi before 1.5.5

Description

Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.

References

Remote Code Execution in Apache Unomi

CVE-2020-13942 [CVE] [CVE json] [OSV json]

Last updated: 2020-11-24T17:55:44.282Z

Affected

  • Apache Unomi from unspecified before 1.5.2

Description

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

References