QwikSec

Security Database

CVE

CWE

Training

CVE-2020-13936

Published: Mar 10, 2021

Modified: Feb 13, 2025

PUBLISHED

Description

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Vendor	Product	Versions
Apache Software Foundation	Apache Velocity Engine	affected `Apache Velocity Engine - <= 2.2`

References

https://lists.apache.org/thread.html/r01043f584cbd47959fabe18fff64de940f81a65024bb8dddbda31d9a%40%3Cuser.velocity.apache.org%3E

x_refsource_MISC

[velocity-user] 20210310 CVE-2020-13936: Velocity Sandbox Bypass

mailing-list

x_refsource_MLIST

[velocity-commits] 20210310 [velocity-site] 01/01: CVE announcement

mailing-list

x_refsource_MLIST

[oss-security] 20210309 CVE-2020-13936: Velocity Sandbox Bypass

mailing-list

x_refsource_MLIST

[announce] 20210310 CVE-2020-13936: Velocity Sandbox Bypass

mailing-list

x_refsource_MLIST

[druid-commits] 20210316 [GitHub] [druid] clintropolis opened a new pull request #11002: suppress CVE check for security fix

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20210317 [SECURITY] [DLA 2595-1] velocity security update

mailing-list

x_refsource_MLIST

[ws-dev] 20210318 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210318 [jira] [Created] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210319 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210319 [jira] [Comment Edited] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210322 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[santuario-dev] 20210323 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #33: Bump dependency-check-maven from 6.1.2 to 6.1.3

mailing-list

x_refsource_MLIST

[ws-dev] 20210324 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210325 [jira] [Updated] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210325 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[turbine-commits] 20210329 svn commit: r1888167 - /turbine/core/trunk/pom.xml

mailing-list

x_refsource_MLIST

[ws-dev] 20210331 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

[ws-dev] 20210401 [jira] [Commented] (WSS-683) WSS4J depends on Velocity 1.7 which contains a security vulnerability (CVE-2020-13936)

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

[activemq-users] 20210830 Security issues

mailing-list

x_refsource_MLIST

[activemq-users] 20210831 RE: Security issues

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.