Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2020-13942
PUBLISHEDRemote Code Execution in Apache Unomi
- Vendor
- Apache Software Foundation
- Product
- Apache Unomi
- Published
- Nov 24, 2020
- EPSS
- —
Description
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploitation status
Proof of concept available
Recorded 2020-11-19 08:22:17 UTC · Source
References
- http://unomi.apache.org./security/cve-2020-13942.txt
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E
- https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E
- https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/11/24/5
- https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E
- https://advisory.checkmarx.net/advisory/CX-2020-4284
- https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) | Jun 09, 2025 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13942.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-09-05 16:39:19 UTC · 0 stars
github · Created 2020-12-22 02:57:50 UTC · 4 stars
CVE-2020-13942 Apache Unomi 远程代码执行漏洞脚getshell
github · Created 2020-11-21 08:48:46 UTC · 3 stars
github · Created 2020-11-20 23:25:44 UTC · 9 stars
CVE-2020-13942 POC + Automation Script
github · Created 2020-11-19 08:22:17 UTC · 28 stars
CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection
github · Created 2020-11-18 10:29:47 UTC · 6 stars
Timeline
-
CVE ID Reserved
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel