Bugzilla – Bug 1183360
VUL-0: CVE-2020-13936: velocity: arbitrary code execution when attacker is able to modify templates
Last modified: 2022-10-11 13:21:32 UTC
rh#1937440 An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. References: https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E http://www.openwall.com/lists/oss-security/2021/03/10/1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1937440 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13936 http://seclists.org/oss-sec/2021/q1/202 http://www.openwall.com/lists/oss-security/2021/03/10/1 https://access.redhat.com/security/cve/CVE-2020-13936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13936 https://lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a@%3Cuser.velocity.apache.org%3E https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E https://lists.apache.org/thread.html/r3ea4c4c908505b20a4c268330dfe7188b90c84dcf777728d02068ae6@%3Cannounce.apache.org%3E
We discussed this during our planning meeting and came to the conclusion that there is no action needed from the SUMA side since we don't actually ship this package it's just a build requirement.
This is an autogenerated message for OBS integration: This bug (1183360) was mentioned in https://build.opensuse.org/request/show/878483 Factory / velocity
This is an autogenerated message for OBS integration: This bug (1183360) was mentioned in https://build.opensuse.org/request/show/878595 Factory / velocity
openSUSE-SU-2021:0447-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1183360 CVE References: CVE-2020-13936 JIRA References: Sources used: openSUSE Leap 15.2 (src): velocity-1.7-lp152.5.3.1
fixed
SUSE-SU-2022:3560-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1183360,1202932,1203149,1203153,1203154,1203158 CVE References: CVE-2020-13936,CVE-2022-25857,CVE-2022-38749,CVE-2022-38750,CVE-2022-38751,CVE-2022-38752 JIRA References: Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): snakeyaml-1.31-150200.12.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.