Vulnerability Description
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Velocity Engine | < 2.3 |
| Apache | Wss4J | 2.3.1 |
| Debian | Debian Linux | 9.0 |
| Oracle | Banking Deposits And Lines Of Credit Servicing | 2.12.0 |
| Oracle | Banking Enterprise Default Management | >= 2.3.0, <= 2.4.1 |
| Oracle | Banking Loans Servicing | 2.12.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Platform | >= 2.3.0, <= 2.4.1 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Network Integrity | 7.3.6 |
| Oracle | Hospitality Token Proxy Service | 19.2 |
| Oracle | Retail Integration Bus | 19.0.1 |
| Oracle | Retail Order Broker | 16.0 |
| Oracle | Retail Service Backbone | 19.0.1 |
| Oracle | Retail Xstore Office Cloud Service | 16.0.6 |
| Oracle | Utilities Testing Accelerator | 6.0.0.1.1 |
References
- http://www.openwall.com/lists/oss-security/2021/03/10/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024Mailing ListVendor Advisory
- https://lists.apache.org/thread.html/r0bc98e9cd080b4a13b905c571b9bed87e1a0878d44
- https://lists.apache.org/thread.html/r17cb932fab14801b14e5b97a7f05192f4f366ef260
- https://lists.apache.org/thread.html/r293284c6806c73f51098001ea86a14271c39f72cd7
- https://lists.apache.org/thread.html/r39de20c7e9c808b1f96790875d33e58c9c0aabb44f
- https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf7
- https://lists.apache.org/thread.html/r4cd59453b65d4ac290fcb3b71fdf32b4f1f8989025
- https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef6359630
- https://lists.apache.org/thread.html/r7f209b837217d2a0fe5977fb692e7f15d37fa5de82
- https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56
- https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb
- https://lists.apache.org/thread.html/rbee7270556f4172322936b5ecc9fabf0c09f00d4fa
- https://lists.apache.org/thread.html/rd2a89e17e8a9b451ce655f1a34117752ea1d18a22c
FAQ
What is CVE-2020-13936?
CVE-2020-13936 is a vulnerability with a CVSS score of 8.8 (HIGH). An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This appli...
How severe is CVE-2020-13936?
CVE-2020-13936 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13936?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Velocity Engine, Apache Wss4J, Debian Debian Linux, Oracle Banking Deposits And Lines Of Credit Servicing, Oracle Banking Enterprise Default Management.