CVE-2020-13936: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Affected

34 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	velocity_engine	< 2.3	2.3
apache	velocity_engine	>= 0 < 1.7-6	1.7-6
apache	velocity_engine	>= 0 < 1.7-6	1.7-6
apache	velocity_engine	>= 0 < 1.7-6	1.7-6
apache	velocity_engine	>= 0 < 1.7-6	1.7-6
apache	wss4j	—	—
apache_software_foundation	apache_velocity_engine	Apache Velocity Engine – 2.2	—
debian	debian_linux	—	—
debian	velocity	< velocity 1.7-6 (bookworm)	velocity 1.7-6 (bookworm)
oracle	banking_deposits_and_lines_of_credit_servicing	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_enterprise_default_management	2.3.0 – 2.4.1	—
oracle	banking_loans_servicing	—	—
oracle	banking_party_management	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	2.3.0 – 2.4.1	—
oracle	communications_cloud_native_core_policy	—	—
oracle	communications_network_integrity	—	—
oracle	hospitality_token_proxy_service	—	—
oracle	retail_integration_bus	—	—
oracle	retail_order_broker	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

osv8.8HIGH