Unomi
CVE-2021-31164
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 maven packages depend on org.apache.unomi:unomi (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.5.5.
DescriptionNVD
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements.
AnalysisAI
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-93. Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements. Affected products include: Apache Unomi. Version information: version 1.5.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. Rated critical severity
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the J
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today