CVE-2020-13942

Remote Code Execution in Apache Unomi

Basic Information

CVE State: PUBLISHED
Reserved Date: June 08, 2020
Published Date: November 24, 2020
Last Updated: February 13, 2025
Vendor: Apache Software Foundation
Product: Apache Unomi
Description: It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score: 94.05% (Percentile: 99.89%) as of 2025-06-02

Exploit Status

Exploited in the Wild: Yes (added 2025-05-10 00:00:00 UTC) Source

References

http://unomi.apache.org./security/cve-2020-13942.txt https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cdev.unomi.apache.org%3E https://lists.apache.org/thread.html/rcb6d2eafcf15def433aaddfa06738e5faa5060cef2647769e178999a%40%3Cusers.unomi.apache.org%3E https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cusers.unomi.apache.org%3E https://lists.apache.org/thread.html/r4a8fa91836687eaca42b5420a778ca8c8fd3a3740e4cf4401acc9118%40%3Cdev.unomi.apache.org%3E http://www.openwall.com/lists/oss-security/2020/11/24/5 https://lists.apache.org/thread.html/r08a4057ff7196b8880117edaa4b6207cbd36ed692d8dd1f5a56b4d0f%40%3Cannounce.apache.org%3E https://advisory.checkmarx.net/advisory/CX-2020-4284 https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-05-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13942.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Prodrious/CVE-2020-13942

Type: github • Created: 2021-09-05 16:39:19 UTC • Stars: 0

yaunsky/Unomi-CVE-2020-13942

Type: github • Created: 2020-12-22 02:57:50 UTC • Stars: 4

CVE-2020-13942 Apache Unomi 远程代码执行漏洞脚getshell

blackmarketer/CVE-2020-13942

Type: github • Created: 2020-11-21 08:48:46 UTC • Stars: 3

shifa123/CVE-2020-13942-POC-

Type: github • Created: 2020-11-20 23:25:44 UTC • Stars: 9

CVE-2020-13942 POC + Automation Script

eugenebmx/CVE-2020-13942

Type: github • Created: 2020-11-19 08:22:17 UTC • Stars: 28

CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection

lp008/CVE-2020-13942

Type: github • Created: 2020-11-18 10:29:47 UTC • Stars: 6

Timeline

CVE ID Reserved

June 08, 2020
CVE Published to Public

November 24, 2020
Detected by Nuclei

April 26, 2025
Added to KEVIntel

May 10, 2025