CVE-2020-11975

Vulnerability

Description

Apache Unomi, a Java-based customer data platform, incorporates a condition evaluation mechanism that supports OGNL (Object-Graph Navigation Language) scripting. Due to insufficient input sanitization, an attacker can craft malicious OGNL expressions that invoke static methods from the Java Development Kit (JDK). This flaw allows the attacker to execute arbitrary code with the same privileges as the running Java process [1][2].

Exploitation

Details

Any component of Unomi that processes conditions—such as rules or profiles—is a potential attack vector. An attacker does not need prior authentication if the affected endpoint is exposed; the OGNL expressions are evaluated without proper restrictions on which Java classes or methods can be called. The vulnerability is present in all versions prior to 1.5.1 [2].

Impact

Successful exploitation results in full remote code execution at the operating system level, limited only by the permissions of the Java process. This can lead to data exfiltration, system compromise, or lateral movement within the network. The severity is rated as Critical [1][2].

Mitigation

The Apache Software Foundation has released Unomi 1.5.1, which disables OGNL scripting in conditions or applies proper sandboxing. Users must upgrade immediately to this version or later. No workarounds are mentioned in the advisory [2].