CVE-2020-13936

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

Published: Mar 10, 2021
Updated: Nov 8, 2023
CVE: CVE-2020-13936
GHSA: GHSA-59j4-wjwp-mw9m
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / velocity_engine	-	2.3
apache / wss4j	2.3.1	2.3.1.x
debian / debian_linux	9.0	9.0.x
oracle / retail_order_broker	16.0	16.0.x
oracle / banking_platform	2.6.2	2.6.2.x
oracle / banking_platform	2.7.1	2.7.1.x
oracle / communications_network_integrity	7.3.6	7.3.6.x
oracle / banking_enterprise_default_management	2.12.0	2.12.0.x
oracle / banking_enterprise_default_management	2.10.0	2.10.0.x
oracle / banking_party_management	2.7.0	2.7.0.x
oracle / utilities_testing_accelerator	6.0.0.2.2	6.0.0.2.2.x
oracle / utilities_testing_accelerator	6.0.0.3.1	6.0.0.3.1.x
oracle / utilities_testing_accelerator	6.0.0.1.1	6.0.0.1.1.x
oracle / communications_cloud_native_core_policy	1.14.0	1.14.0.x
oracle / banking_platform	2.3.0	2.4.1.x
oracle / banking_loans_servicing	2.12.0	2.12.0.x
oracle / retail_service_backbone	19.0.1	19.0.1.x
oracle / retail_integration_bus	19.0.1	19.0.1.x
oracle / banking_enterprise_default_management	2.7.1	2.7.1.x
oracle / banking_enterprise_default_management	2.6.2	2.6.2.x
oracle / banking_enterprise_default_management	2.3.0	2.4.1.x
oracle / banking_deposits_and_lines_of_credit_servicing	2.12.0	2.12.0.x
oracle / retail_xstore_office_cloud_service	17.0.4	17.0.4.x
oracle / retail_xstore_office_cloud_service	18.0.3	18.0.3.x
oracle / retail_xstore_office_cloud_service	19.0.2	19.0.2.x
oracle / retail_xstore_office_cloud_service	20.0.1	20.0.1.x
oracle / retail_xstore_office_cloud_service	16.0.6	16.0.6.x
oracle / hospitality_token_proxy_service	19.2	19.2.x
org.apache.velocity / velocity-engine-parent	-	2.3
org.apache.velocity / velocity	-	1.7.x

Vulnerability Database

289,599

CVE-2020-13936