CVE-2020-13936 – org.apache.velocity:velocity-engine-parent

Package

Manager: maven
Name: org.apache.velocity:velocity-engine-parent
Vulnerable Version: >=0 <2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.10626 pctl0.93002

Details

Sandbox Bypass in Apache Velocity Engine An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Metadata

Created: 2022-01-06T20:32:36Z
Modified: 2022-04-01T20:22:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-59j4-wjwp-mw9m/GHSA-59j4-wjwp-mw9m.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-59j4-wjwp-mw9m
Finding: F184
Auto approve: 1