CVE Vulnerabilities

CVE-2020-13936

Published: Mar 10, 2021 | Modified: Nov 07, 2023
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9 HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Affected Software

Name Vendor Start Version End Version
Velocity_engine Apache * 2.3 (excluding)
Wss4j Apache 2.3.1 (including) 2.3.1 (including)
EAP 7.4.1 release RedHat *
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base RedHat velocity *
Red Hat EAP-XP via EAP 7.3.x base RedHat velocity *
Red Hat Fuse 7.9 RedHat velocity *
Red Hat Integration RedHat velocity *
Red Hat Integration Camel Quarkus RedHat velocity *
Red Hat JBoss Enterprise Application Platform 7.1.0 RedHat velocity *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-bouncycastle-0:1.68.0-2.redhat_00005.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-hal-console-0:3.2.14-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-infinispan-0:9.4.22-3.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-ironjacamar-0:1.4.30-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-genericjms-0:2.0.9-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-marshalling-0:2.0.11-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-server-migration-0:1.7.2-6.Final_redhat_00007.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jboss-weld-3.1-api-0:3.1.0-6.SP3_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-netty-0:4.1.60-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-resteasy-0:3.11.4-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-undertow-0:2.0.35-1.SP1_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-velocity-0:2.3.0-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-weld-core-0:3.1.6-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-0:7.3.7-1.GA_redhat_00002.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-elytron-0:1.10.12-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-wildfly-http-client-0:1.0.26-1.Final_redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 RedHat eap7-yasson-0:1.0.9-1.redhat_00001.1.el6eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-bouncycastle-0:1.68.0-2.redhat_00005.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-hal-console-0:3.2.14-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-infinispan-0:9.4.22-3.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-ironjacamar-0:1.4.30-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-genericjms-0:2.0.9-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-marshalling-0:2.0.11-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-server-migration-0:1.7.2-6.Final_redhat_00007.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jboss-weld-3.1-api-0:3.1.0-6.SP3_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-netty-0:4.1.60-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-resteasy-0:3.11.4-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-undertow-0:2.0.35-1.SP1_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-weld-core-0:3.1.6-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-0:7.3.7-1.GA_redhat_00002.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-elytron-0:1.10.12-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-wildfly-http-client-0:1.0.26-1.Final_redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 RedHat eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-bouncycastle-0:1.68.0-2.redhat_00005.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-hal-console-0:3.2.14-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-infinispan-0:9.4.22-3.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-ironjacamar-0:1.4.30-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-genericjms-0:2.0.9-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-marshalling-0:2.0.11-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-server-migration-0:1.7.2-6.Final_redhat_00007.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jboss-weld-3.1-api-0:3.1.0-6.SP3_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-netty-0:4.1.60-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-resteasy-0:3.11.4-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-undertow-0:2.0.35-1.SP1_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-weld-core-0:3.1.6-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-0:7.3.7-1.GA_redhat_00002.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-elytron-0:1.10.12-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-wildfly-http-client-0:1.0.26-1.Final_redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 RedHat eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 RedHat eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap *
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 RedHat eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap *
Velocity Ubuntu bionic *
Velocity Ubuntu esm-apps/bionic *
Velocity Ubuntu esm-apps/xenial *
Velocity Ubuntu focal *
Velocity Ubuntu groovy *
Velocity Ubuntu hirsute *
Velocity Ubuntu impish *
Velocity Ubuntu kinetic *
Velocity Ubuntu trusty *
Velocity Ubuntu xenial *

References