CVE-2020-13936

CWE-94Code InjectionCWE-20Improper Input Validation15 documents8 sources
Severity
8.8HIGH
EPSS
16.4%
top 5.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
Apache Velocity EngineApache Software Foundation Apache Velocity EngineOracle Banking Enterprise Default Management+14 more
Timeline
PublishedMar 10
Latest updateJul 15

Description

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages19 packages

CVEListV5apache_software_foundation/apache_velocity_engineApache Velocity Engine2.2
Debianvelocity< 1.7-6+3

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Sandbox Bypass in Apache Velocity Engine2022-01-06
GHSA
Sandbox Bypass in Apache Velocity Engine2022-01-06
OSV
CVE-2020-13936: An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the2021-03-10
CVEList
Velocity Sandbox Bypass2021-03-10

📋Vendor Advisories

10
Oracle
Oracle Oracle GoldenGate Risk Matrix: GoldenGate Studio (Apache Velocity Engine) — CVE-2020-139362025-07-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Apache Velocity Engine) — CVE-2020-139362025-04-15
Ubuntu
Velocity Engine vulnerability2023-08-10
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: IDM - Authentication (Apache Velocity Engine) — CVE-2020-139362023-07-15
Oracle
Oracle Oracle Utilities Applications Risk Matrix: General (Apache Velocity Engine) — CVE-2020-139362023-04-15