CVE-2020-11975

CRITICAL EXPLOITED NUCLEI

Apache Unomi - RCE

Title source: llm

Description

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

Exploits (1)

nomisec WORKING POC 6 stars

by 1135 · remote

https://github.com/1135/unomi_exploit

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Unomi - Remote Code Execution

CRITICALVERIFIEDby Sourabh-Sahu

Shodan: http.title:"Apache Unomi"

FOFA: title="Apache Unomi"

References (3)

[Patch, Vendor Advisory] http://unomi.apache.org/security/cve-2020-11975.txt

[Mailing List] https://lists.apache.org/thread.html/r01021bc4b25c1e98812efca0b07f0e078a6281bd52f7c3817a429d95%40%3Ccommits.unomi.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r79672c25e0ef9bb4b9148376281200a8e61c6d5ef5bb705e9a363460%40%3Ccommits.unomi.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.8758

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

Status published

Products (2)

apache/unomi < 1.5.1

org.apache.unomi/unomi 0 - 1.5.4Maven

Published Jun 05, 2020

Tracked Since Feb 18, 2026